Botnets aren't just for their creators anymore. Having more than likely bought the malware program that creates the bot, today's owners will either use the botnet for themselves or rent it to others by the hour or another metric.
The methodology is familiar. Each version of the malware program attempts to exploit thousands to tens of thousands of computers in an effort to create a single botnet that will operate as one entity at the creator's bidding. Each bot in the botnet eventually connects back to its C&C (command and control) server(s) to get its latest instructions. Botnets have been found with hundreds of thousands of infected computers.
But now that there are so many active botnets (literally tens of millions of infected computers each day), botnet rentals are fairly cheap, meaning all the more problems for IT security pros.
Malware fighters will often attempt to take down the C&C servers and/or take over their control so that they can instruct the connecting bots to disinfect their host computers and die.
Today's sophisticated malware programs often offer all-in-one, soup-to-nuts functionality. They will not only infect the end-user but also break into websites and modify them to help infect more victims. These all-in-one malware programs often come with management consoles so that their owners and creators can keep track of what the botnet is doing, who they are infecting, and which ones are most successful.
But it's not entirely a matter of Webmasters' computers being exploited that's leading to the rise in Web server compromises. More often, the attacker finds a weakness or vulnerability in a website that allows them to bypass admin authentication and write malicious scripts.
Common website vulnerabilities include poor passwords, cross-site scripting vulnerabilities, SQL injection, vulnerable software, and insecure permissions. The Open Web Application Security Project Top 10 list is the authority on how most Web servers get compromised.
Many times it isn't the Web server or its application software but some link or advertisement that gets hacked. It's fairly common for banner ads, which are often placed and rotated by general advertising agencies, to end up infected. Heck, many times the malware guys simply buy ad space on popular Web servers.