Bob Burls looks back on a case where the diligence of an IT guy helped convict a botmaster who had made tens of thousands of dollars. In November 2006 a particularly aggressive piece of malware came to the notice of Scotland Yards Computer Crime Unit. The malware in question was an IRCBot, with worm-like properties detected by Sophos as W32/Vanebot-R. It used various propagation vectors to spread: MS SQL servers protected by weak passwords, network shares and network traffic.”]
Source: https://nakedsecurity.sophos.com/2013/01/04/lsdigital-botnet-downfall/