An excellent read from SecurityWatch@newsletters.101com.com.

A MULTIFACETED APPROACH TO UNDERSTANDING THE BOTNET PHENOMENON

Members of the John Hopkins University Computer Science Department have
conducted an excellent study analyzing bots and botnets (download the
PDF here: http://www.cs.jhu.edu/%7Eterzis/imc114f-aburajab.pdf ). It’s
an extremely comprehensive study of botnets over a three-month period
from early 2006. They constructed a sophisticated environment within
which they were able to become infected, determine what the infected
code does, monitor the actions of the code as well as the Command
and Control (C&C) channel used by the bot-master, and, finally,
detail the actual tasks performed by the bot-infected systems.

Without getting into human motivations, this study is extremely
informative to anyone attempting to prevent or detect bot activity.
It shows the difficulty in monitoring, detecting the sources and
identifying the bot-masters.

It also provides some insight into the size and scope of botnets,
indicating they are likely smaller than many of the media claims have
been. They provide and understanding of why that is, namely, the fact
that IRC servers have functional limitations on the number of
computers they can simultaneously control. They explain their
observations of how a few bot-masters attempt to overcome
that limitation.

It’s well worth a read. Hopefully this study will lead to more
research in this area. This study, coupled with the BT announcement
mentioned above, may well show signs that we may be making progress
against the bot-herders.