least 2 million PCs globally. That is a conservative estimate," Richard Domingues Boscovich, assistant general counsel with Microsoft's Digital Crimes Unit, said in an interview on Tuesday.
He said the vast majority of infected machines were in the United States, Europe and Hong Kong.
Microsoft and the FBI, aided by authorities in more than 80 countries, on June 5 sought to take down 1,400 malicious computer networks known as the Citadel Botnets by severing their access to infected machines. Microsoft's Digital Crimes Unit is working with its partners overseas to determine exactly how many of the Citadel botnets are still operational.
"We feel confident that we really got most of the ones that we were after," he said. "It was a very, very successful disruptive action."
The ringleader, who goes by the alias Aquabox, and dozens of botnet operators remain at large and the authorities are working to uncover their identities. Boscovich said he suspects Aquabox is in Eastern Europe.
The botnets, which were run from "command and control" servers at data hosting centers around the world, were used to steal from hundreds of financial institutions, according to court documents that Microsoft filed to get permission to shut down servers in the United States that were being used to run the operation.
Data center operators typically are not aware that their servers are being used to run botnets.
The ring targeted firms of all sizes, from tiny credit unions to global banks such as Bank of America, Credit Suisse, HSBCand Royal Bank of Canada.
Citadel is one of the biggest botnets in operation today. Microsoft said its creator bundled the software with pirated versions of the Windows operating system.
The FBI, which on Tuesday declined to comment on its progress in its investigation of Citadel, has said it is working closely with Europol and other overseas authorities to capture the unknown criminals.
Cyber criminals typically infect machines by sending spam emails containing malicious links and attachments, and by infecting legitimate websites with computer viruses that attack unsuspecting visitors. Some bot herders rent or sell infected machines on underground markets to other cyber criminals looking to engage in a wide variety of activities including credit card theft and attacks on government websites.
The Citadel software disables anti-virus programs on infected PCs so they cannot detect malicious software. It surfaced in early 2012 and is sold over the Internet in kits that cost $2,400 or more.