When Russian antivirus company Dr.Web discovered a botnet running on over 600,000 Mac OS X computers, it sparked attention even among those not normally interested in computer security. The scope of the infection, along with criticism of Apple’s response, offered another example of a persistent problem. Because they’re profitable, relatively easy to create, and only intermittently targeted by law enforcement, botnets have increased in size and sophistication. That demands constant vigilance from researchers, who are always looking to disrupt and shutdown emerging threats.

Recent weeks have been flush with botnet takedowns, showing two different approaches to the problem. Microsoft launched a legal strike against the Zeus botnet, accompanying US Marshals who seized servers in Pennsylvania and Illinois. Just days earlier, another botnet had fallen thanks to a tactic that required no legal intervention and no seizures — “sinkholing.” Using this strategy, a team of researchers from the CrowdStrike Intelligence Team, Kaspersky Lab, the Honeynet Project, and Dell SecureWorks commandeered the Kelihos.B botnet. Last September they’d done the same with the original Kelihos network, estimated at around 40,000 computers, only to see a new variant emerge with almost 140,000 infected IP addresses, with that number still creeping up.

This second takedown illustrates several things about the battle against botnets, including the tenacity of their creators and the diligence of researchers fighting them. To get an inside look at the ongoing struggle, we talked to two members of the CrowdStrike Intelligence Team, director of intelligence Adam Meyers and senior research scientist Tillmann Werner, who also helped sinkhole the first Kelihos.