More than one million computers on the net have been hijacked to attack websites and pump out spam and viruses.
Hackers are in control of many home PCs
The huge number was revealed by security researchers who have spent months tracking more than 100 networks of remotely-controlled machines.
The largest network of so-called zombie networks spied on by the team was made up of 50,000 hijacked home computers.
Data was gathered using machines that looked innocent but which logged everything hackers did to them.
The detailed look at zombie or 'bot nets of hijacked computers was done by the Honeynet Project - a group of security researchers that gather information using networks of computers that act as "honey pots" to attract hackers and gather information about how they work.
While 'bot nets have been known about for some time, estimates of how widespread they are from security firms have varied widely.
To gather its information the German arm of the Honeynet Project created software tools to log what happened to the machines they put on the web.
Getting the machines hijacked was worryingly easy. The longest time a Honeynet machine survived without being found by an automatic attack tool was only a few minutes. The shortest compromise time was only a few seconds.
The research found that, once compromised machines tend to report in to chat channels on IRC servers and wait instructions from the malicious hacker behind the tools used to recruit the machine.
Many well-known vulnerabilities in the Windows operating system were exploited by 'bot net controllers to find and take over target machines.
Especially coveted were home PCs sitting on broadband connections that are never turned off.
Use and abuse
The months of surveillance revealed that the different 'bot nets - which involve a few hundred to tens of thousands of machines - are used for a variety of purposes.
Gambling sites have been hit hard by web attacks
Many are used as relays for spam, to route unwanted adverts to PC users or as launch platforms for viruses.
But the research team found that many are put to very different uses.
During the monitoring period, the team saw 'bot nets used to launch 226 distributed denial-of-service attacks on 99 separate targets. These attacks bombard websites with data in an attempt to overwhelm the target.
Using a 'bot net of machines spread around different networks and nations makes such attacks hard to defend against.
One DDoS attack was used by one firm to knock its competitors offline.
Other 'bot nets were used to abuse the Google Adsense program that rewards websites for displaying adverts from the search engine. Some networks were used to abuse or manipulate online polls and games.
Criminals also seem to be starting to use 'bot nets for mass identity theft, to host websites that look like those of banks so confidential information can be gathered and to peep into online traffic to steal sensitive data.
"Leveraging the power of several thousand bots, it is viable to take down almost any website or network instantly," said the researchers. "Even in unskilled hands, it should be obvious that 'bot nets are a loaded and powerful weapon."