Botnets account for a substantial portion of cybercrime. Botmasters utilize darkweb marketplaces to promote and provide their services, which can vary from renting or buying a botnet (or parts of it) to hiring services (e.g., distributed denial of service attacks). At the same time, botnet takedown attempts have proven to be challenging, demanding a combination of technical and legal methods, and often requiring the collaboration of a plethora of entities with varying jurisdictions. In this article, we map the elements associated with the business aspect of botnets and utilize them to develop adaptations of two widely used business models. Furthermore, we analyze the 28 most notable botnet takedown operations carried out from 2008 to 2021, in regard to the methods employed, and illustrate the correlation between these methods and the segments of our adapted business models. Our analysis suggests that the botnet takedown methods have been mainly focused on the technical side, but not on the botnet economic components. We aim to shed light on new takedown vectors and incentivize takedown actors to expand their efforts to methods oriented more toward the business side of botnets, which could contribute toward eliminating some of the challenges that surround takedown operations.

僵尸网络占网络犯罪的很大一部分。Botmasters 利用暗网市场来推广和提供他们的服务，从租用或购买僵尸网络（或其中的一部分）到租用服务（例如，分布式拒绝服务攻击）。与此同时，僵尸网络的移除尝试已被证明具有挑战性，需要技术和法律方法的结合，并且通常需要具有不同司法管辖区的众多实体的协作。在本文中，我们映射了与僵尸网络的业务方面相关的元素，并利用它们开发了两种广泛使用的业务模型的改编版本。此外，我们分析了从 2008 年到 2021 年开展的 28 次最著名的僵尸网络删除操作，就所采用的方法而言，并说明这些方法与我们调整后的业务模型的各个部分之间的相关性。我们的分析表明，僵尸网络的移除方法主要集中在技术方面，而不是僵尸网络的经济组成部分。我们的目标是阐明新的删除向量并激励删除参与者将他们的努力扩展到更面向僵尸网络业务方面的方法，这可能有助于消除围绕删除操作的一些挑战。