In addition to allowing criminals to purchase specific data hijacked by the botnet, such as access credentials for specific banks, Vawtrak also allows for the delivery of new malware to the infected computers.
"This is a flexible business model," he said.
For example, the botnet's computers can be configured to serve as proxies or even -- once all the other usability has been sucked out of them -- as spambots.
"Once the machine starts sending out spam it becomes obvious that it's infected with malware and it's not going to be infected much longer," he said.
End users can protect themselves against Vawtrak by keeping their anti-virus up-to-date and taking standard precautions against phishing emails and suspicious links.
Sophos also offers a free removal tool on its website.