Report an incident
Back
  • About us
  • News
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
For experts
Publications
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

NASK shuts down dangerous Virut botnet domains
18 January 2013 | CERT Polska | #botnet

NASK has taken over multiple domains used for cybercrime activities, making their further usage for illegal purposes impossible. The domain names were used to spread and control dangerous malware known as “Virut” . NASK’s actions are aimed at protecting Internet users from threats that involved the botnet built with Virut-infected machines, such as DDoS attacks, spam and data theft. The scale of the phenomenon was massive: in 2012 for Poland alone, over 890 thousand unique IP addresses were reported to be infected by Virut.

Since 2006, Virut has been one of the most disturbing threats active on the Internet. In late 2012 Symantec estimated the size of its botnet at 300,000 machines, while Kaspersky reported that Virut was responsible for 5.5% of infections in Q3 2012, making it the fifth most widespread threat of the time. Interestingly, Virut’s main distribution vector is executable file infection, and most users would get infected by using removable media or sharing files over networks. However, more recent versions of the malware have been capable of infecting HTML files, injecting an invisible iframe that would download Virut from a remote site. Once infected, a computer would connect to an IRC server controlled by the attacker and receive instructions to download and run arbitrary executable files (all without owner’s knowledge or consent). Effectively, Virut’s authors have converted those machines into zombies – elements of a botnet used for spamming, DDoS attacks and other malicious activities. According to Symantec, Virut has been recently used for distribution of Waledac – a long-time recognized spamming bot.

A number of domains in .pl, most notably zief.pl and ircgalaxy.pl, have been used to host Virut, its command & control IRC servers, as well as to host other malware including Palevo and Zeus. NASK, the operator of the Polish domain registry, took over 23 of these domains yesterday (Jan 17, 2013) in an effort to protect Internet users from Virut-related threats. Name servers for those domains were changed to sinkhole.cert.pl, controlled by CERT Polska – an incident response team operated by NASK. NASK’s actions were supported by threat intelligence data from CERT Polska, VirusTotal and Spamhaus.

Share: