Polish Officials Move To Decapitate Virut Botnet

The Polish computer emergency response team (CERT) is hoping to rip apart a major botnet by wresting control of command and control domains used by attackers to control infected machines.

Virut has been used to pilfer user data, carry out distributed denial of service (DDoS) attacks and send out spam. The botnet was recently seen uploading the Waledac malware to machines, in attackers’ attempts to massively increase spamming powers of infected systems.

The botnet was believed to be 300,000 bots strong. At its height, in mid-2012, it was the fifth most widespread threat, according to Kasperksy.

Virut downed?

CERT Polska sinkholed 23 domain names, a number of which are also associated with running other botnets related to the Zeus malware.

“NASK, the operator of the Polish domain registry, took over 23 of these domains yesterday (Jan 17, 2013) in an effort to protect Internet users from Virut-related threats,” CERT Polska said, in its post on Friday.

“Name servers for those domains were changed to sinkhole.cert.pl, controlled by CERT Polska – an incident response team operated by NASK. NASK’s actions were supported by threat intelligence data from CERT Polska, VirusTotal and Spamhaus.”

Whilst the efforts of Polish officials is unlikely to help catch the crooks and end their campaigns, onlookers believe the takedowns will provide some benefit to the Internet.

“The benefits of a takedown are usually fairly brief, because the crooks, sadly, just move somewhere else, and may even program their malware with an automatic system for finding new C&C servers,” said Sophos’ Paul Ducklin, in a blog post.

“But you have to start somewhere, and every takedown demarcates a part of the internet where the Good Guys have said, ‘No more!’

“If nothing else, this sends a message to the sort of fringe-dwelling ISP that is willing to take dirty money by looking the other way to cyber criminality.”

What do you know about online security? Try our quiz and find out!