The botnet is designed to steal passwords and financial information and it does both well:

In ten days, Torpig obtained the credentials of 8,310 accounts at 410 different institutions. The top targeted institutions were PayPal (1,770 accounts), Poste Italiane (765), Capital One (314), E*Trade (304), and Chase (217). On the other end of the spectrum, a large number of companies had only a handful of compromised accounts (e.g., 310 had ten or less). The large number of institutions that had been breached made notifying all of the interested parties a monumental effort. It is also interesting to observe that 38% of the credentials stolen by Torpig were obtained from the password manager of browsers, rather than by intercepting an actual login session.

The researchers findings also support earlier survey results on the use of strong passwords:

Our analysis found that almost 28% of the victims reused their credentials for accessing 368,501 web sites. According to a recent survey conducted by Sophos in March 2009 [35], one third of 676 Internet users neglect the importance of using strong passwords. Thus, our results confirm those of the Sophos poll.

Lessons learned include:

First of all, we found that previous evaluations of botnet sizes based on the count of distinct IPs might be grossly overestimated. In particular, we found that, in our case, the number of unique IP was one order of magnitude larger than the actual number of infected hosts.

Second, the victims of botnets are users with poorly maintained machines that choose easily guessable passwords to protect access to sensitive sites. This is evidence that the malware problem is fundamentally a cultural problem. ...

Another insight obtained from the experience of taking over the botnet was that interacting with registrars, hosting facilities, victim institutions, and law enforcement is a rather complicated process. In some cases, simply identifying the point of contact for one of the registrars involved required several days of frustrating attempts. We are sure that we have not been the first to experience this type of confusion and lack of coordination among the many pieces of the botnet puzzle. However, in this case we believe that simple rules of behavior imposed by the US government would go a long way toward preventing (or sanctioning) obviously-malicious behavior. Even though botnets are a global problem, the United States could effectively enforce rules of behavior that might make it harder for the botmaster to use the nation's cyber infrastructure with impunity.

Thanks to ArsTechnica for finding this paper.