One of the interesting questions we get asked at TheatSTOP concerns how long an IP address remains bad once it has been identified as such. The answer is not completely straightforward and varies depending on which threat list it has been put on. Moreover many lists do not have specific "first seen" or "last seen" data on each IP address, rather they simply list the currently active list (where active typically means that they have been identified as bad within the last week or so). Possibly worse for questioner, some of the threat sources we use are distributed under terms that prohibit us from answering the question.
The ZeuS Botnet got into the news last week with the announcement that it had led to significant financial losses in the UK, however it (or rather they since there are many botnets running the same trojan) is an infection that has been studied by a number of malware researchers.
A recent column by John Dix in Network World paints a rather depressing picture of the state of the Internet when it comes to malware. Mr Dix points out that there are millions of compromised computers (bots) out there and that while network security people can block some of the worst there are a lot that they cannot block because these other threats are quiet enough to not be detected by current IPS/IDS etc. devices. His essential claim is that we just have to assume that every network is penetrated and/or vulnerable to penetration by cyber-criminals. The article quotes various security professionals as stating that the dangerous bot attacks are stealthy and slow moving with the attack gradually building up to its most serious level over a period of days or even weeks.