But it was that same efficiency that let researchers quickly subvert the botnet.
Although the hackers have abandoned the 100,000+ PCs that Stone-Gross and his colleagues have sinkholed, they have not gone away.
Israeli security firm Seculert said today that the Kelihos makers have been using malware spread through Facebook to build up their botnet, and continued to do so even after last week's sinkholing.
Stones-Gross, meanwhile, said there was evidence that those behind Kelihos had turned to pay-per-install affiliates -- who are rewarded for each machine they infect -- to compromise new machines that could then be loaded with the bot.
The criminals have bounced back before: Although the botnet Microsoft and others disabled last year is still incommunicado, the same hackers returned to the Internet earlier this year with a variant of the malware that infected even more PCs.
It was that second-generation Kelihos botnet that CrowdStrike, SecureWorks and others took offline last week.
Stone-Gross maintained that the take-down had been a success no matter how the hackers reacted in the future.
"The overall effectiveness of a peer-to-peer [infrastructure] has been overestimated," said Stone-Gross. "There's a lot of complexity involved [in any take-down], but in the end, they're putting a lot of trust in each node. And it backfired on them."
Sign up for Computerworld eNewsletters.