Eastern European CERTs stage massive Virut botnet takedown

Russia, Poland and Austria have been unwilling homes to a massive botnet built with Virut-infected machines, bent on carrying out DDoS attacks, spam campaigns and data theft. According to CERT partner Spamhaus, the threat has only been worsening: Virut lately has started to drop the Zeus banking trojan and the Kelihos spambot onto computers infected with Virut.

Virut is a worm that spreads through removable drives such as USB sticks and network shares, but it also has file infection capabilities that it uses to spread. It was first detected in 2006, and since then has been using several dozen domain names, mainly within the .pl ccTLD (Poland), the .ru ccTLD (Russia) and the .at ccTLD (Austria).

The scale of the infection is staggering: In late 2012, Symantec estimated the size of its botnet at 300,000 machines, while Kaspersky reported that Virut was responsible for 5.5% of infections in Q3 2012, making it the fifth most widespread threat of the time.

Spamhaus noted that while takedown efforts have been made in the past, as recently as Dec. 2012, they have so far been unsuccessful. The Virut botnet gang simply has managed to move the malicious botnet domain names to a new registrar.

In the past few days, Spamhaus has been in close contact with the latest sponsoring registrar (home.pl) and the Polish Computer Emergency Response Team (CERT.pl) to get the Virut domain names within the .pl ccTLD sinkholed.

“A number of domains in .pl, most notably zief.pl and ircgalaxy.pl, have been used to host Virut, its command & control IRC servers, as well as to host other malware including Palevo and Zeus,” said NASK, the operator of the Polish domain registry, in a statement. NASK took over 23 of these domains in an effort to protect internet users from Virut-related threats. Name servers for those domains were changed to sinkhole.cert.pl, controlled by CERT Polska.

In addition, Spamhaus reached out to the Austrian CERT and the Russian based Company Group-IB CERT-GIB to shut down the remaining Virut domains within the .at and .ru ccTLDs. CERT-GIB was able to shut down all the Virut domains within the .ru ccTLD within a few hours – Austria’s infection, however, still remains virulent.

“How long the shut-down of Virut will last this time is unknown,” Spamhaus said in a blog. “However, we remain committed to continue the fight against cyber threats. The recent Virut take down is a good model for the future: the internet has no borders, and the community can only fight cybercrime successfully with international cooperation and coordination.”

What’s hot on Infosecurity Magazine?