Sidebar: How big is the botnet problem?

Gigantic. Watchdog organization Shadowserver Foundation monitors the number of detected command-and-control servers -- which indicates how many individual botnets are out there -- and the number of clients these servers control.

From November 2006 through May 2007, Shadowserver reported roughly 1,400 command-and-control servers active at any given time, though the number varied hourly and ranged from 1,100 to more than 1,700.

If that sounds like small potatoes, consider that the real problem for enterprises isn't the number of networks but the skyrocketing number of drones they control. From March through May, active drones grew at an alarming rate from about a half million to more than 3 million, the organization says.

Shadowserver doesn't claim this is a count of all the bots and botnets out there, just the ones it detected in active use. No one knows how many machines lie dormant. Some researchers even have made the controversial claim that as many as 11 percent of the 1.1 billion computers worldwide with Internet access are infected and part of the available bot pool.

Symantec says it found 6 million infected bots in the second half of 2006. Currently, about 3.5 million bots are used to send spam daily, says Gadi Evron, a well-known botnet hunter.

The point is that the scale now is so vast that trying to count bots has become irrelevant, "The number doesn't matter," Evron says. "The bad guys control as many bots as they need to."

In fact, the Department of Justice and FBI have identified more than 1 million victims of botnet crimes.

Sidebar: Six ways to fight back against botnets

Botnets are a growing threat, but there are six steps that security professionals can take to fight back.

1. Hire a Web-filtering service.

Web-filtering services are one of the best ways to fight bots. These services scan for Web sites exhibiting unusual behavior or known malicious activity and block those sites from users.

Websense, Cyveillance and FaceTime Communications are examples. All monitor the Internet in real time to find Web sites engaged in suspicious activity, such as downloading JavaScript and performing screen scrapes and other tricks outside the boundaries of normal Web browsing. Cyveillance and Support Intelligence also offer services that notify Web-site operators and ISPs that malware has been discovered, so hacked servers can be fixed, they say.

2. Switch browsers

Another tactic to prevent bot infections is to standardize on a browser other than Internet Explorer or Mozilla Firefox, the two most popular and hence the browsers for which most malware is written. The same tactic works for operating systems. Macs statistically are safe from botnets, as is desktop Linux, because most bot herders target Windows.

3. Disable scripts

A more extreme measure is to disable browsers from scripts altogether, though this could put a damper on productivity if employees use custom, Web-based applications in their work.