Well, it was a while ago that some Polish guys were openly advertising their 465K zombie network - I'd be most surprised if it isn't over 1M by now. And remember that hierarchical design is understood in the black hat world too. If somebody has 1M bots, it won't be 1M bots in one network, it will be several hundred subnets of several thousand bots, and some automated way to signal several hundred control nodes to each fire up their several thousand bots. So you may already have whacked off a 1% chunk of that 1M net several times already and not even realized it....
These guys are used to be on the run, looking for places to stash their botnets. IRC networks (which are not scared, and then usually just a few renegade opers and volunteers) are the ones who fight these networks. Hunting them down in different channels. Girlbots a year ago used an interesting algorithm to generate random channel names according to the date and time.. these guys are not that easy to find. Then there are the virus reversers and network analysts who reverse the sample or sniff the traffic to see where bots go, and shut that place down. Controllers/runners just move their bots quickly to a new location, and even if they lost one army.. there are others. Ever heard of don't put all your eggs in one basket? Regardless, they can always get new ones... and the people fighting them are in the shadows.. not even supported by their own people in many cases. IRC servers for example, are very afraid of pissing these kiddies off, so that they won't DDoS them. How many times have we seen an IRC DDoS taking down the entire ISP? There are other ways of controlling armies.. but so far IRC has proven to be the easiest in utilization and in moving quickly. Any other control mechanism would have to answer two main opposing factors. The easier it is to control them, the easier it is to take them away from you. How do you balance the two, if you are a kiddie? It's a never ending race. Think of that in P2P terms, and you will see what I mean. Exposure vs. ease of control. Who would go against them when they'd know their ISP would be down the very next day, though? There is no easy solution... and as long as AV companies treat Trojan horses as "garbage" and/or "not worth detecting", this is definitely not going to change. Then there is the issue of "open source malware" (not to be confused with the open source community). Today, any kid can find many code samples of writing their own Trojan horses, not to mention support forums online. Take for example the huge increase in malware per month, these past few years. One of the strains started with sdbot.. then ircbot.. then agobot.. then phatbot, rbot, whatever bot, korgobots (argh!) etc. Thousands of different samples, all related - and for most you can find quite a few versions of their sources online. It never ends.. I am just glad this is getting some attention now. Gadi Evron.