Virut botnet takedown sinkholes 23 domains

Polish cyber security experts seized domains behind the Virut botnet over the weekend.

Control of the 23 .pl domains was mastered by Polish registrar Nask, with the Polish computer emergency readiness team (CERT) assuming control of redirected traffic from the domains.

“Since 2006, Virut has been one of the most disturbing threats active on the internet," Cert Polska said.

"Interestingly, Virut's main distribution vector is executable file infection, and most users would get infected by using removable media or sharing files over networks. However, more recent versions of the malware have been capable of infecting HTML files, injecting an invisible iFrame that would download Virut from a remote site.

Infected computers would connect to an IRC server controlled by the attacker and receive instructions to download and run arbitrary executable files without owner's knowledge.

Symantec's threat report said that Virut controlled 300,000 machines, while Kaspersky Lab said that Virut was responsible for 5.5 per cent of malware infections in the third quarter of 2012.

Symantec security response Denis Carmody said that Virut was downloading variants of the Waledac worm onto compromised PCs adding the number of computers infected with W32.Waledac.D continues to increase.

Cert Polska said that among the sinkholed 23 domain names were two websites that were broadly associated not just with Virut but also with the Zeus Trojan.

Paul Ducklin, head of technology for Sophos Asia Pacific, said: “So taking over some or all of those servers can make a big difference, at least temporarily, to the crooks' ability to operate their botnets.

“Every infected PC that crooks can no longer send on a criminal mission represents lost opportunity and lost revenue, and that hits them where it hurts: the pocket.”

This article originally appeared at scmagazineuk.com