Brian Krebs has a great blog on the massive Virut botnet and its take-down last week. Run from over 23 domains in Poland, Virut was estimated to have many hundreds of thousands of bots worldwide, and was "custom-built to be rented out to cybercriminals." The botnet was a major spam source in existence since at least 2006. It took a large coordinated effort between Polish authorities and CERT Polska to take it offline.
Krebs details the sophistication of the Virut virus itself; for example, it has multiple safeguards incorporated to automatically respond if its infrastructure is attacked. What I found fascinating, though, was his description of the sophisticated Virut business. The original infection campaign came from an underground subscription app called Exerevenue that created royalties for each successful PC infection. It was bundled with legal distribution technology, and even came with its own EULA. Add to this business model the administration tasks connected with managing dozens of controllers, plus all the subversion and misdirection that goes into maintaining an illegal operation, and you are describing an enterprise of significant capability and maturity.
There are probably many such cybercrime organizations, probably some are even better and bigger than Virut, but we don't often get to see the detail of the operation itself. It highlights a new dilemma we face in cyber risk management: trying to deal not only with increasingly dangerous malware, but also allocating resources to understanding sophisticated threat agents who can respond nimbly and intelligently to our countermeasures.