@ Ross Snider,
"Well this certainly isn't _why_ I didn't think of it. I didn't think of it because it's very creative."
Ok, my first comment on redundancy, was perhaps a little to short (I'll come back to it later). And as I said they have done a rather niffty job of turning the theoretical to the practical.
"I figure updating a botnet is a pretty solved task. Not sure how much you'd get out of encoding all your opcodes into quasi-English first..."
It is very far from a solved problem, the explanation is a bit long so I don't mind if you don't read it...
Put simply the "obvious botnets" are those that are seen due to the network traffic they create.
The solution to botnets currently is once a botnet is seen the control channel is identified and attacked and so the bot net remains but gets no commands so is kind of out of action (but this is not a reliable process as was demonstrated to the MWG when the botnet operator got control of part of the botnet back).
So the next step for botnet operators is to go from their "obvious botnet" used to do "DoS/Spam" to "covert" botnets used for information gathering and targeted "insider attacks".
We have already seen a modified version of the ZeuS botnet being used (badly) for intel gathering in that it was designed to go for .mil & .gov hosts and slurp up any user viewable documents and PDF's. It was seen due to being detected by a small number of AV systems and the resulting network traffic of it sending the documents etc out.
ZeuS's designer has just recently added "shell capability" to the available code base so "insider attacks" can be done. One consiquence of which is where the attacker gets your computer to transfer your money into their buffer account. As it's your computer with your credentials on it etc it's as though they have sat and typed at your keyboard. I wish you good luck trying to convince a bank it was not you... And moving from the obvious to the less obvious but even more interesting tricks such as manipulating your share trades which I suspect we will hear more about in the next few months (then think on a 1/2year after that and what you could do with a pump and dump stock if you could actually make a 1/2 million people buy 100USD of it).
That is botnet operators are starting to think and get inventive on how to better capitalize on "their investment" in the botnet...
As a result they will become more covert, and the way to get at them will be via the control channel. However what if the control channel is not done via one or more hosts that can be taken off line?
I've already described how to do this "decoupled control channel" using open blog pages and a search engine like Google.
So the question about how to deal with bot nets will move to the infection vector. Now depending on who you belive Adobe PDF's have overtaken all MS file formats for a primary infection vector.
This system potentialy opens up any "text source" into an "attack vector" so put a little thought into how it might be used via RSS feeds or IRC or NewsNet or Blog web pages or potentialy even "tweets"...
Back to your other points,
'I could not find the "tales of Riverbank" you were referring to'
Sorry "Riverbank" is where a lab was in the early part of the last century. The owner of which had a fixation for "Bible codes" in the works of Shakespeare and hired a group of people to "prove his idea". One of whom was William Friedman, who was employed for other work. But he rather fancied a young lady Elizabeth who was working on the "shakespeare codes".
The result was they got married and William in his late twenties published a series of reports (Riverbank Publication 22 being most notable). And the lab was more cryptographicaly capable than anything the US Gov had at the time.
Friedman is recognised as taking cryptography from art to science and is the father of the "index of coincidence" or "chi test" method. David Khan has written several articals and a book or two about William Friedman. Saddly Elizabeth who was quite outstanding in her own right kind of got totaly eclipsed by her husband.
William ended up as an administrator and got embroiled with the "politics of cryptography" and many "ills" have been laid at his door, the truth of which is not likley to be resolved.
Try googling ["William friedman" "Riverbank publication"]