Donbot, he said, was once a one-trick pony that stuck to spamming Russian recipients, but now "it's spamming for everything under the sun." Stewart estimated Donbot's size as 125,000 compromised PCs, putting it in third place behind Cutwail and Rustock. "It was flying under the radar in 2008, but it seems to have grown pretty quickly," he said.

Also on his watch list is Xarvester, a botnet of approximately 60,000 machines that also apparently picked up spam customers after the junk mailers had to switch providers because of McColo.

And one botnet that died during 2008 -- the once notorious Storm -- may be back from the dead under a different name, said Stewart.

Dubbed "Waledec," there are too many similarities to the now-defunct Storm to be coincidence, he argued. "If it's not the same people, they would have had to study Storm intensively to match the functionality," Stewart said. "It's so similar that it's unlikely to be a different group."

Waledec is comparatively small -- just 10,000 bots so far -- but it could easily grow, said Stewart, who noted that this from-scratch rewrite uses much more powerful encryption than did Storm. That, he said, will make it nearly impossible for investigators to poke into the malware's innards for hints on how it works.