Researchers at Fox IT have detailed a massive botnet that has over the course of its existence infected 15 million machines since 2009.
The Ponmocup botnet had control of 2.4m devices when it was at its peak in July 2011, and remains one of the largest active botnets, with around 1m machines under its command.
The researchers describe Ponmocup as "one of the most successful botnets of the past decade, in terms of spread and persistence." They say its infrastructure is "complex, distributed, and extensive, with servers for dedicated tasks."
It is thought the botnet is being constantly developed, with the researchers unearthing 25 unique plug-ins and 4000 variants.
Ponmocup is hard to detect because it uses anti-analysis techniques, for example heuristic checks for network and host-based analysis tools, debuggers and virtualised environments.
If anti-analysis checkers flags up an attempt to analyse the malware, a fake payload is delivered, which injects adverts and is easy to remove. That fake payload disguises the delivery of a much more serious one.
Fox IT says that the attack is "believed to be aimed at financial gain" and that it has probably been "a multi-million dollar business for years now."
It is thought that that the people behind Ponmocup are likely to be both Russian speaking and of Russian origin, because the instructions that are distributed to business partners and affiliates are written in Russian. Addtionally, it historically did not infect systems in certain post-Soviet countries.