"They then use [those programs] to show ads to the owners of the systems, or to click through advertisements for which they get credit under some sort of affiliate program."
He said a second way bot herders profit is by renting out use of the bots to spammers. "They aren't advertised as bots, but as proxies available for spammers to use. And the bot herder will charge a fee based on the number of proxies available in a rotating list on a daily, or even an hourly, basis."
Lippard said he's heard of individual bot herders making "as much as $10,000 a month between adware and clickware fraud and the selling of proxies".
Using botnets to launch denial of service attacks is also on the rise, Lippard says. The initial targets for these attacks used to be offshore gambling websites, and the credit card processors for those sites. "But it's been tried to a lesser extent against other businesses that depend on their websites for their operations to run."
Another common use of botnets is to scan captured machines for user names and passwords, software licence information, and contents of vital documents. Often keystroke loggers are loaded on these machines to retrieve user names and passwords, ID information, and anything that can potentially be used to make a profit.
Some variations of a botnet, known as Rinbot, may be used to steal registration keys for video games.
While Christopher Maxwell's case was widely publicised, experts estimate there are scores of botnets that go undetected. As stealth is their stock in trade, it's difficult to get precise statistics on the growth of this menace.
Some rather alarming numbers have been provided by Symantec's semi-annual Internet Threat Report, published in March 2007. According to that report, botnet activity is up around 10 per cent over the previous period, with the US hosting about 40 per cent of the command and control nodes.
As the motivation of most bot herders is financial, they are keen that compromised systems stay infected and are not detected or repaired by the owners. As many experts point out, botnets take their time spreading in order to remain undetected, as their creators - unlike some other malicious coders - aren't necessarily trying to take over thousands of computers in the shortest time possible.
The only way they could be detected relatively quickly is if the bot herder went overboard and installed so much malware that the system became extremely slow - to the point of being nearly unusable.
Lippard's colleague Bob Hagen notes in his blog that methods and mechanisms used today to detect and eradicate botnet controllers are being rendered obsolete.
"Historically, most botnets utilised Internet Relay Chat (IRC) as the communications mechanism between bots and their controllers," noted Hagen, who is Director of Security Development at Global Crossing. "The bots would stay persistently connected to an IRC server and listen on a designated channel for commands." He said intrusion-detection technologies used to be able to detect this communication channel quite easily.
"Unfortunately," says Hagen, "the era of simplistic botnets may be nearing an end". Realising the ease by which bot communications can be discovered, he said bot herders are starting to use encrypted IRC communications, HTTP tunnelling, and peer-to-peer networking. He noted, however, that most enterprises don't view IRC as a critical business application and configure their firewalls to block it.