In March of this year, researchers on Symantec's Security Response team began looking at ways in which they might be able to "sinkhole" (takedown) ZeroAcess — one of the world's largest botnets. But then… in late June, the botnet started updating itself, removing the flaw that the researchers hoped to take advantage of. Faced with the choice of some or nothing, the team moved to sinkhole what they could. And that was over 500,000 bots.
A very commendable effort!
Ross Gibb and Vikram Thakur are presenting a paper about lessons learned at this year's Virus Bulletin.
Unfortunately, the bulk of ZeroAcess is still with us…