shawal,
the story that started my interest in botnet tracking was written by Steve Gibson of GRC.com. Basically it was a write-up of his investigations into a real life DDoS attack experienced by his company. Included the likes of detailed explanation of the attack experienced to writing a custom IRC bot to snoop on the attackers botnet command and control structure.
I've spent all afternoon trying to find a link to the story but everything I find points to a 404 error on the GRC site so it looks like it has been taken down for some reason. If you have as much luck as I did finding it PM me as I may have a saved copy on one of my works machines.
One of the botnet investigations I have undertaken myself was a an irc bot I cleaned from a client's server. Unfortunately I was unable to take the investigation as far as I would have liked as the c&c deactivated before it could be infiltrated. From packet traces obtained during the incident it appeared the bot was part of a spam sending network And wasn't very subtle, at random times of the day it would max out the server's 100Mb connection, made finding the issue childs play.
An aspect of the bot that I found rather amusing after pulling it's code apart is that it seemed to be programmed to throw random insults to the commandline. I am now the proud owner of a rather large file containing little more than insults about 'yo' mamma'
In response to your question about people getting away with murder, from experience in situations like this is can be very difficult, if not impossible, to find the true 'botmaster'. Often the best you can do is clean-up, inform any parties that have been involved in the investigation and try to prevent a similar intrusion next time. Regularly, the only machines/IPs/people that you can identify are just regular users like yourself, all blissfully unaware or trying to deal with the same issue.
I recently attended a seminar on forensic investigations where one of the talks was given by a member of a police 'cyber-crime' department. Before the talk I believed that the police force would largely ignore these types of activities but was impressed by the level of interest and available resources. I now intend to pass all findings of future investigation to the relevant authorities, something that was actively encouraged during the event.
If you intend to delve deeper into these areas I would highly recomment both the SANs Readin Room and archived webcasts, as well as the Honeynet project. A good starting point in incident response basics is "Dead Linux Machines do tell tales" (
http://www.sans.org/reading_room/whitepapers/honors/1491.php)
Hope this rather long rant is of some interest/use, and happy hunting
