CERT Polska Takes Down Virut Botnet


CERT Polska, the incident response team of the Polish domain registrar NASK, recently announced that it had taken over 23 domains that were being used to spread and control the Virut botnet. "The scale of the phenomenon was massive: in 2012 for Poland alone, over 890 thousand unique IP addresses were reported to be infected by Virut," the registrar stated.

"The Virut malware spreads by inserting malicious code into clean executable files and by copying itself to fixed, attached and shared network drives," writes Computerworld's Lucian Constantin. "Some variants also infects HTML, ASP and PHP files with rogue code that distributes the threat. Once installed on a computer, the Virut malware connects to an Internet Relay Chat (IRC) server using an encrypted connection and awaits for instructions."

"Some of the domains identified in the takedown effort -- including ircgalaxy.pl and zief.pl -- have been used as controllers for nearly half a decade," writes Krebs on Security's Brian Krebs. "During that time, Virut has emerged as one of the most common and pestilent threats. Security giant Symantec recently estimated Virut’s size at 300,000 machines; Russian security firm Kaspersky said Virut was responsible for 5.5 percent of malware infections in the third quarter of 2012."

"Most zombies rely on connecting to so-called C&C (command-and-control) servers to find out what to do next," writes Sophos' Paul Ducklin. "So taking over some or all of those servers can make a big difference, at least temporarily, to the crooks' ability to operate their botnets. Every infected PC that crooks can no longer send on a criminal mission represents lost opportunity and lost revenue, and that hits them where it hurts: the pocket."

"NASK's actions are a welcome if unexpected event, apparently carried out with the help of Spamhaus and VirusTotal," writes Techworld's John E. Dunn.