Polish security researchers scored a win for the white hats when they took down several domains related to one of the world’s largest botnets. The ‘Virut’ botnet had been used to distribute many kinds of malware, including ZeuS, Kehlios and Waledac.
The Register’s John Leyden reported, “Security researchers have decapitated a spam-spewing network of hacked computers by pulling the plug on the central command-and-control servers. The compromised PCs were infected by the Virut virus and were being remotely controlled from these servers by miscreants. The takedown operation was coordinated by CERT Polska, the computer emergency response team in Poland. Virut – which spreads via file-sharing networks, compromised web servers and infected USB drives – was responsible for 6.8 per cent of malware infections in 2012, according to stats from Russian security biz Kaspersky Lab.”
Brian Krebs of Krebs on Security blogged, “NASK, the domain registrar that operates the ‘.pl’ Polish top-level domain registry, said that on Thursday it began assuming control over 23 .pl domains that were being used to operate the Virut network. The company has redirected traffic from those domains to sinkhole.cert.pl, a domain controlled by CERT Polska — an incident response team run by NASK. The company says it will be working with Internet service providers and security firms to help alert and clean up affected users.”
Computerworld’s Lucian Constantin explained, “The Virut malware spreads by inserting malicious code into clean executable files and by copying itself to fixed, attached and shared network drives. Some variants also infects HTML, ASP and PHP files with rogue code that distributes the threat. Once installed on a computer, the Virut malware connects to an Internet Relay Chat (IRC) server using an encrypted connection and awaits for instructions. This allows attackers to control Virut infected computers as a botnet. Virut is primarily used as a malware distribution platform — other cybercriminals pay the Virut botmasters to deploy their own malware on the already compromised computers.”
ZDNet’s Michiel van Blommestein noted, “The Virut botnet was ranked fifth in the world in terms of infections, NASK and CERT Poland said, citing a statistic from antivirus company Kaspersky Lab. Virut is thought to have infected machines associated with 890,000 unique IP addresses during 2012 in Poland alone, NASK said. The revenue generated by Virut is estimated at around 1 million zloty (€250,000), according to prominent Polish security blog Niebezpiecznik.”