This gives the botmasters -- whose top goals include remaining anonymous -- the ability to issue orders from random payphones and disposable handsets, say researchers Itzik Kotler and Iftach Ian Amit of and risk-assessment firm Security Art.

DEFCON:

Using phones and the public phone networks eliminates one of the prime tools bot fighters have: of botnets' command and control servers, the researchers say. If the botmaster isn't using a command and control , it can't be taken down.

In fact, the botmaster can communicate with the zombie machines that make up the botnet without using the Internet at all if the zombies are within a corporate network. So even if a victim company's VoIP network is segregated from the data network, there is still a connection to the outside world.

In addition to its stealth, the VoIP tactic employs technology that readily pierces corporate firewalls and uses only traffic that is difficult for data loss prevention software to peer into. The traffic is streamed audio, so data loss prevention scanners can't recognize patterns of data they are supposed to filter, the researchers say.