During the first three days after initial detection by FireEye, only four in ten anti-virus programs could spot the offending code, which suggests that many bots would evade security software during attacks on real PCs in they happened during this same period.

"The conclusion is that AV works better and better on old stuff - by the time something has been out for a couple of months, and is still in use, it's likely that 70-80 percent of products will detect it," says Staniford.

FireEye's appliances can be seen as an 'early warning' system because of the way they use behavioural analysis to spot malware in real time, in some cases days or weeks before a program has been formally identified and documented by security companies. By the time it has been spotted and a signature rolled out to anti-virus databases, however, it might already be too late.

Equally, many prominent security vendors will use similar techniques to spot malware as quickly as possible, making it surprising that so many anti-virus programs failed to spot FireEye's sample binaries. The reason might simply be the vast number of samples that appear in any given period.

What nobody doubts is the importance of botnets to the spread of malware and spam, as evidenced by the recent takedown of a US hosting company McColo, which had been accused of hosting botnet controllers. In the hours after the hoster's demise, spam levels were reported to have plummeted dramatically.