Share

Related Stories

  • Spam campaign makes offerings to Zeus
    The widespread banking trojan/botnet known as Zeus is continuing to throw its malware-infested thunderbolts at unsuspecting users, this time through a wide-net spam campaign.
  • ZeroAccess infects 2,2 million homes
    About 2.2 million home networks worldwide were infected with the ZeroAccess botnet in the third quarter of 2012, according to the Kindsight Security Labs quarterly Malware Report. In the United States alone, approximately 685,000 users are infected, at a rate of one in 125 home networks.
  • Microsoft settles 3322.org Nitol botnet case
    Microsoft’s takedown of the 3322.org Chinese website, in an effort to limit the promulgation of the Nitol botnot, has yielded a settlement. Website owner Peng Yong has agreed to cooperate with Microsoft and the Chinese Computer Emergency Response Team (CN-CERT) to block all malicious connections to the domain, working to actively prevent malware infections.
  • TDSS/TDL4 'indestructible botnet' is back with 250K victims already
    Damballa has discovered a new iteration of the TDSS/TDL4 botnet that, at its height last autumn, infected more than 5.5 million victims. Now, it’s back and is utilizing domain generation algorithm (DGA)-based communication for command-and-control (C&C).
  • 'Botnet Bandit' gets 2+ years in prison
    The Botnet Bandit, as he’s known, has been brought to justice after infecting thousands of computers and using them for profit. Joshua Schichtel has been sentenced in federal court in the District of Columbia to 30 months in prison and three years of supervised release.

Top 5 Stories

News

Eastern European CERTs stage massive Virut botnet takedown

24 January 2013

A large Eastern European botnet has been thwarted in Poland and Russia – for now. Local Computer Emergency Response Teams (CERTs) and partners have shut down the Virut threat, which in Poland alone commanded more than 890,000 unique IP addresses.

Russia, Poland and Austria have been unwilling homes to a massive botnet built with Virut-infected machines, bent on carrying out DDoS attacks, spam campaigns and data theft. According to CERT partner Spamhaus, the threat has only been worsening: Virut lately has started to drop the Zeus banking trojan and the Kelihos spambot onto computers infected with Virut.

Virut is a worm that spreads through removable drives such as USB sticks and network shares, but it also has file infection capabilities that it uses to spread. It was first detected in 2006, and since then has been using several dozen domain names, mainly within the .pl ccTLD (Poland), the .ru ccTLD (Russia) and the .at ccTLD (Austria).

The scale of the infection is staggering: In late 2012, Symantec estimated the size of its botnet at 300,000 machines, while Kaspersky reported that Virut was responsible for 5.5% of infections in Q3 2012, making it the fifth most widespread threat of the time.

Spamhaus noted that while takedown efforts have been made in the past, as recently as Dec. 2012, they have so far been unsuccessful. The Virut botnet gang simply has managed to move the malicious botnet domain names to a new registrar.

In the past few days, Spamhaus has been in close contact with the latest sponsoring registrar (home.pl) and the Polish Computer Emergency Response Team (CERT.pl) to get the Virut domain names within the .pl ccTLD sinkholed.

“A number of domains in .pl, most notably zief.pl and ircgalaxy.pl, have been used to host Virut, its command & control IRC servers, as well as to host other malware including Palevo and Zeus,” said NASK, the operator of the Polish domain registry, in a statement. NASK took over 23 of these domains in an effort to protect internet users from Virut-related threats. Name servers for those domains were changed to sinkhole.cert.pl, controlled by CERT Polska.

In addition, Spamhaus reached out to the Austrian CERT and the Russian based Company Group-IB CERT-GIB to shut down the remaining Virut domains within the .at and .ru ccTLDs. CERT-GIB was able to shut down all the Virut domains within the .ru ccTLD within a few hours – Austria’s infection, however, still remains virulent.

“How long the shut-down of Virut will last this time is unknown,” Spamhaus said in a blog. “However, we remain committed to continue the fight against cyber threats. The recent Virut take down is a good model for the future: the internet has no borders, and the community can only fight cybercrime successfully with international cooperation and coordination.”

This article is featured in:
Industry News  •  Internet and Network Security  •  IT Forensics  •  Malware and Hardware Security  •  Public Sector

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×