The Damballa researchers had come across the botnet, which they have not named, in recent weeks and were looking at the way that the network used a domain-generation algorithm to come up with new command-and-control domains for infected machines to contact. Many botnets use this same method, as it give them the ability to react quickly when one domain is taken down or blacklisted by a large number of security products. When that happens, the botmaster can simply send out an instruction for all of the bots to connect to the new domain. Or the bots can be programmed to connect to various new domains at regular intervals, based on the date or other variables.
In this case, the researchers saw that a lot of bots were trying to connect to some domains that had not been registered yet. So they did some quick statistical analysis and picked out some of the most frequently requested domains and registered the domains themselves. The Damballa researchers then pointed the domains to a sinkhole maintained by the Georgia Tech Information Security Center and sat back and watched the action.