Share

Top 5 Stories

News

Eastern European CERTs stage massive Virut botnet takedown

24 January 2013

A large Eastern European botnet has been thwarted in Poland and Russia – for now. Local Computer Emergency Response Teams (CERTs) and partners have shut down the Virut threat, which in Poland alone commanded more than 890,000 unique IP addresses.

Russia, Poland and Austria have been unwilling homes to a massive botnet built with Virut-infected machines, bent on carrying out DDoS attacks, spam campaigns and data theft. According to CERT partner Spamhaus, the threat has only been worsening: Virut lately has started to drop the Zeus banking trojan and the Kelihos spambot onto computers infected with Virut.

Virut is a worm that spreads through removable drives such as USB sticks and network shares, but it also has file infection capabilities that it uses to spread. It was first detected in 2006, and since then has been using several dozen domain names, mainly within the .pl ccTLD (Poland), the .ru ccTLD (Russia) and the .at ccTLD (Austria).

The scale of the infection is staggering: In late 2012, Symantec estimated the size of its botnet at 300,000 machines, while Kaspersky reported that Virut was responsible for 5.5% of infections in Q3 2012, making it the fifth most widespread threat of the time.

Spamhaus noted that while takedown efforts have been made in the past, as recently as Dec. 2012, they have so far been unsuccessful. The Virut botnet gang simply has managed to move the malicious botnet domain names to a new registrar.

In the past few days, Spamhaus has been in close contact with the latest sponsoring registrar (home.pl) and the Polish Computer Emergency Response Team (CERT.pl) to get the Virut domain names within the .pl ccTLD sinkholed.

“A number of domains in .pl, most notably zief.pl and ircgalaxy.pl, have been used to host Virut, its command & control IRC servers, as well as to host other malware including Palevo and Zeus,” said NASK, the operator of the Polish domain registry, in a statement. NASK took over 23 of these domains in an effort to protect internet users from Virut-related threats. Name servers for those domains were changed to sinkhole.cert.pl, controlled by CERT Polska.

In addition, Spamhaus reached out to the Austrian CERT and the Russian based Company Group-IB CERT-GIB to shut down the remaining Virut domains within the .at and .ru ccTLDs. CERT-GIB was able to shut down all the Virut domains within the .ru ccTLD within a few hours – Austria’s infection, however, still remains virulent.

“How long the shut-down of Virut will last this time is unknown,” Spamhaus said in a blog. “However, we remain committed to continue the fight against cyber threats. The recent Virut take down is a good model for the future: the internet has no borders, and the community can only fight cybercrime successfully with international cooperation and coordination.”

This article is featured in:
Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security  •  Public Sector

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×