The downsides of VoIP as a command channel are that it severely limits the number of zombie machines that can be contacted at once, and the rate at which stolen data can be sent out of a corporate network is limited by the phone system. But Kotler and Amit say the connections are plenty big to send commands in.

During their demo at the conference, the pair had an Asterisk IP PBX stand in as the corporate PBX. A virtual machine representing a zombie computer on a corporate network called via TCP/IP through the PBX and into a corporate conference call. A BlackBerry, representing the botmaster dialed in over the public phone network to the same conference call.

The researchers then used open source software to communicate between the botmaster phone and the zombie machine. Moshi Moshi includes a translator that converts commands into DTMF touch tones as input, and converts stolen data from text to speech for output. The resulting voice traffic is phoned into a voice mailbox that the botmaster can pick up whenever it's convenient.

One tricky part is configuring the PBX to allow DTMF tones to pass through into the conference. Another is that the botmaster has to create a DTMF-based language that the bots are programmed to understand.

The researchers say their demonstration was merely a proof of concept, and that it could work much better with refinements. For instance, incorporating modem technology into the scheme could result in faster exfiltration rates than sending speech-generation voicemails.