From The Honeynet Project & Research Alliance’s “Know your Enemy: Tracking Botnets” (13 March 2005):
An event that is not that unusual is that somebody steals a botnet from someone else. … bots are often “secured” by some sensitive information, e.g. channel name or server password. If one is able to obtain all this information, he is able to update the bots within another botnet to another bot binary, thus stealing the bots from another botnet. …
Something which is interesting, but rarely seen, is botnet owners discussing issues in their bot channel. …
Our observations showed that often botnets are run by young males with surprisingly limited programming skills. … we also observed some more advanced attackers: these persons join the control channel only seldom. They use only 1 character nicks, issue a command and leave afterwards. The updates of the bots they run are very professional. Probably these people use the botnets for commercial usage and “sell” the services. A low percentage use their botnets for financial gain. …
Another possibility is to install special software to steal information. We had one very interesting case in which attackers stole Diablo 2 items from the compromised computers and sold them on eBay. … Some botnets are used to send spam: you can rent a botnet. The operators give you a SOCKS v4 server list with the IP addresses of the hosts and the ports their proxy runs on. …
… some attackers are highly skilled and organized, potentially belonging to well organized crime structures. Leveraging the power of several thousand bots, it is viable to take down almost any website or network instantly. Even in unskilled hands, it should be obvious that botnets are a loaded and powerful weapon.