Botnets have been a recognized threat to computer security for years. On the timeline of malware development, they can be seen as the latest evolutionary step. Criminals have taken advantage of this new technology and cyber crime has grown to become a serious and sophisticated problem which law enforcement still finds difficult to deal with. In the past few years we are witnessing a movement away from cyber crime. Nation states become the target of attacks as well as actively using botnets to project their own power in the political or military domain. To study the new and emerging cases of botnet usage we propose an usage-centric botnet taxonomy. Although there are already a number of botnet taxonomies published, most of them have a technical viewpoint and often consider cyber crime as the major driver to use botnets. While it may be true for now, we believe that such approach might not be holistic enough to describe the current and future developments. Besides the trend of specialized botnets being developed, the number of botnet users is increasing, with new motivations coming along. The taxonomy proposed in this paper takes a different viewpoint by focusing less on technical attributes than on the actors using botnets and the functionality requested by them. Major difference from existing research is that proposed taxonomy classifies instances of botnet use. Based on existing taxonomies, case studies of recent botnet incidents and cyber warfare doctrines of selected nation-states, the authors explore theoretical and already seen ways of botnet usage. They propose new classification of botnets based on their technological attributes, the users and the intended effects on the target to provide a holistic picture of the current situation. The authors also test the proposed taxonomy on seven instances of botnet use.
Published in: Proceedings of the 10th European Conference on Information Warfare and Security at the Tallinn University of Technology Tallinn, Estonia 7-8 July 2011.