Very interesting explanation of how a botnet “sinkhole” is used to subvert a network of compromised computers.

Infected machines typically receive commands from other infected machines — this makes it more difficult to “decapitate” the network by eliminating a single command-and-control server. The peer-to-peer network can also change quickly in response to threats; each node can propagate a list of new peers if there’s an intrusion. But it’s exactly this capability that enables the “sinkhole” technique. If researchers can crack the communications protocol used among the peers, they can create “poison” data that will propagate through the whole botnet. The data forces all peers to connect to a single machine. That machine, of course, belongs to the white hats, who now control the botnet.