Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Virut Malware Botnet Torpedoed By Security Researchers

Spamhaus group scuttles command and control systems for Russian botnet controlling an estimated 300,000 zombie PCs per day.

Security researchers have scuttled the Virut botnet, which was comprised of an estimated 300,000 compromised zombie systems, by shutting down numerous domain names associated with the botnet.

"NASK, the operator of the Polish domain registry, took over 23 of these domains ... in an effort to protect Internet users from Virut-related threats," said Thomas Morrison, who's part of the Spamhaus project, in an announcement. "Name servers for those domains were changed to sinkhole.cert.pl, controlled by CERT Polska [CERT Poland] -- an incident response team operated by NASK."

The cooperative effort between the anti-spam group Spamhaus and CERT Poland was supported by NASK, which is a Polish research and development organization and data networks operator. NASK also operates the top-level .pl domain in Poland.

[ What is cyber warfare, and how can we prepare for it? Read Uncertain State Of Cyber War. ]

According to Spamhaus, Virut was being controlled by command-and-control (C&C) servers that used top-level Austrian, Polish, and Russian domain names. "In cooperation with the Polish CERT and the registrar home.pl, we managed to get all the Virut domain names within the .pl ccTLD sinkholed," said Morrison. "In addition, Spamhaus reached out to the Austrian CERT and the Russian-based Company Group-IB CERT-GIB to shut down the remaining Virut domains within the .at and .ru ccTLDs. In cooperation with Spamhaus, and due to the evidence and intelligence provided by Spamhaus, CERT-GIB was able to shut down all the Virut domains within the .ru ccTLD within a few hours."

Unfortunately, the top-level Austrian domain name registrar hasn't yet pulled the plug on Austrian domains that are being used by the Virut botmasters. "Having alerted both nic.at and the Austrian CERT multiple times about this issue, we hope that they can soon follow the examples set by the work done with .pl and .ru," said Morrison.

Spamhaus is operating in somewhat uncharted legal territory. Notably, officials at NASK said this was the first time that top-level domain names in Poland had been forcibly blocked. "NASK's actions are aimed at protecting Internet users from threats that involved the botnet built with Virut-infected machines, such as DDoS attacks, spam and data theft," read an advisory issued by NASK.

The Virut botnet was first spotted in 2006 and is believed to be controlled by Russian criminals. In the past seven years, however, the Virut botnet -- which offers a pay-per-install service that charges customers based on the number of PCs the botmasters ultimately infect -- has grown substantially larger. According to Kaspersky Lab, in the third quarter of 2012, 5.5% of all viruses it detected on infected PCs globally were Virut, which made the malware the fifth most widely seen malicious code at that time.

Many of the botnet's dozens of command-and-control systems were operating from top-level domain names in Poland. "Among the C&C servers used by W32.Virut, the domains irc.zief.pl and proxim.ircgalaxy.pl are used by the threat in order to receive instructions," read a Virut botnet overview published by Symantec. "However, recent versions have also included a domain generator backup that is used if the hardcoded servers cannot be reached."

Symantec said it noticed a recent change in Virut behavior, when "long-running Virut C&C domains stopped responding to connecting clients around mid-November 2012 and had a corresponding registrar status change." In fact, the two domain names mentioned -- among others -- were changed to read "undergoing proceeding," as in being subject to a judicial proceeding.

When that happened, Symantec said Virut's operators switched to the domain generator backup, which let researchers gain a closer look at the botnet's operations. Based on the data subsequently generated -- after Symantec sinkholed the botnet domains for three days -- it found that an estimated 300,000 infected PCs per day were connecting to Virut's C&C servers.

According to Poland CERT, that daily infection rate was a fraction of the number of PCs just in Poland that were being infected with the malware on an annual basis. The scale of the phenomenon was massive, according to NASK: in 2012 for Poland alone, over 890,000 unique IP addresses were reported to be infected by Virut.

As malware gets increasingly sophisticated, so, too, must the technology and strategies we use to detect and eradicate it (or, better yet, stop it before it ever makes it onto network systems). Our Rooting Out Sophisticated Malware report examines the tools, technologies and strategies that can ease some of the burden. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
1/28/2013 | 10:12:34 AM
re: Virut Malware Botnet Torpedoed By Security Researchers
Paul, I believe the attacker(s) simply registered the TLDs using the official registry service.
PJS880
50%
50%
PJS880,
User Rank: Ninja
1/28/2013 | 7:02:34 AM
re: Virut Malware Botnet Torpedoed By Security Researchers
NASK should have remained in control of thee servers and logged traffic across it and clients who is that server for malicious acts. Still it has got to be powerful Malware to infect 300,000 computers and almost a million ip addresses compromised. The article did not mention how the attacker gained access and control to the top-level domains in Poland.

Paul Sprague
InformationWeek Contributor
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-20092
PUBLISHED: 2021-05-13
File Upload vulnerability exists in ArticleCMS 1.0 via the image upload feature at /admin by changing the Content-Type to image/jpeg and placing PHP code after the JPEG data, which could let a remote malicious user execute arbitrary PHP code.
CVE-2020-21342
PUBLISHED: 2021-05-13
Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php.
CVE-2020-25713
PUBLISHED: 2021-05-13
A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common.
CVE-2020-27823
PUBLISHED: 2021-05-13
A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
CVE-2020-27830
PUBLISHED: 2021-05-13
A vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.