Not at all, most modern botnets have been spread by either spam emails or insecure/default passwords.
Mirai is the most obvious example of spreading by taking advantage of default passwords.
I think Grum was spread via emails, but I’m not entirely sure if I’m remembering that correctly.
A bit about each style:
Spreading through insecure passwords has a rapid start followed by diminishing returns over an extended period of time.
A spam email powered botnet will begin slowly but ramp up exponentially and for limited periods of time as dictated by the quality of the email list(and also the quality of the mail, dear sir or madam united through jesus).
If you just want to play around in a lab with virtual machines then you can use the ‘Build Your Own Botnet’ project on github, or just write your own which I highly recommend.
I think that writing a basic botnet is a great little project to get a general understanding of networks, firewalls, anti-malware solutions, etc. depending on what sort of setup you test it on.
Correct me if I’m wrong about something.