[troels]

One thing I don't quite understand - wouldn't it be possible to unravel a botnet? If you acquire one of the infected machines, a bit of reverse engineering (or perhaps just monitoring its network traffic) should presumably be able to reveal where it gets instructions from. It would probably take the cooperation of law enforcement, but assuming that, wouldn't it be possible - even practical - to do?

[Mandatum]

Yes, in the past when they were more centralized with only a few IRC/C&C's this was an easy solution.

However now, a botmaster is able to generate thousands of C&C centers's from hacked boxes, via hidden TOR or I2P nodes, or shared hosting, as well as hundreds of thousands of varying infected malware almost instantly. The only thing that requires effort from the botmaster now is spreading and constantly updating their slaves so they can keep them in control longer.

The actual implementation is the easy part of it.

[troels]

I see. Still, the attacker has multiple surfaces to try and trace them through. Unless they are very careful, you would expect that they tend to slip every now and then, making it possible to find them? I would imagine that a dedicated security team within law enforcement would be able to get a pretty good success rate, but that doesn't appear to be the case?