Virut botnet takedown sinkholes 23 domains

News by Dan Raywood

Polish cyber security experts seized domains behind the Virut botnet over the weekend.

Polish cyber security experts seized domains behind the Virut botnet over the weekend.

According to reports, control of the 23 .pl domains was mastered by Polish registrar Nask, with the Polish computer emergency readiness team (Cert) assuming control of redirected traffic from the domains.

Cert Polska said: “Since 2006, Virut has been one of the most disturbing threats active on the internet. Interestingly, Virut's main distribution vector is executable file infection, and most users would get infected by using removable media or sharing files over networks. However, more recent versions of the malware have been capable of infecting HTML files, injecting an invisible iFrame that would download Virut from a remote site.

“Once infected, a computer would connect to an IRC server controlled by the attacker and receive instructions to download and run arbitrary executable files (all without owner's knowledge or consent). Effectively, Virut's authors have converted those machines into zombies – elements of a botnet used for spamming, DDoS attacks and other malicious activities.”

Symantec's threat report said that Virut controlled 300,000 machines, while Kaspersky Lab said that Virut was responsible for 5.5 per cent of malware infections in the third quarter of 2012.

Denis Carmody, from Symantec security response, said that Virut was downloading variants of the Waledac worm onto compromised PCs, as the number of computers infected with W32.Waledac.D continues to increase.

Security blogger Brian Krebs said: “It's not clear how the actions by Nask will impact the long-term operations of the Virut botnet. Many of Virut's control servers are located outside the reach of Nask, at Russian top-level domain name registrars (.ru). Also, Virut has a failsafe mechanism built to defeat targeted attacks on its infrastructure.”

Cert Polska also said that among the sinkholed 23 domain names were two websites that were broadly associated not just with Virut but also with the Zeus Trojan.

Paul Ducklin, head of technology for Sophos Asia Pacific, said: “So taking over some or all of those servers can make a big difference, at least temporarily, to the crooks' ability to operate their botnets.

“Every infected PC that crooks can no longer send on a criminal mission represents lost opportunity and lost revenue, and that hits them where it hurts: the pocket.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews