While big botnets get the lion's share of attention in the media, smaller botnets of less than 100 machines are the rule among most compromise corporate networks, according to a research released last week by security firm Damballa.

The company analyzed 600 botnets that it encountered in enterprise networks in a three-month period, and found that the majority -- 57 percent -- were smaller than 100 nodes. Most of the smaller networks consisted of customized code created using one of the do-it-yourself malware kits available online.

"It looks to me as though these small botnets are highly-targeted at particular enterprises -- or enterprise vertical sector(s) -- typically requiring a sizable degree of familiarity with the breached enterprise itself," Gunter Ollmann, vice president of research for Damballa, wrote in a blog post.

Botnets have become a key tools in cybercriminals scheme to illegally bilk Internet users of their data or money. The botnets that infect general Internet users tend to grow quickly: The network of computers infected by the Conficker worm, for example, likely peaked at more than 10 million compromised systems. In March, one botmaster was sentenced to four years in prison for creating a bot net of several hundred thousand computers.

In Damballa's analysis, the firm found that some smaller botnets were likely the work of insiders who, rather than maliciously infecting machines, were using the bot software as a remote administration tool. In other cases, the bot masters appear to be specifically targeting the data inside the corporate network, quietly monitoring the company's operations until the criminals can identify key employees to compromise or key data to steal.

"The net result is that these smallest botnets efficiently evade detection and (dis)closure by staying below the security radar and relying upon botnet masters that have a good understanding of how the enterprise functions internally," Ollmann wrote. "As such, they're probably the most damaging to the enterprise in the long term."

If you have tips or insights on this topic, please contact SecurityFocus.