NASK’s actions are aimed at protecting Internet users from threats that involved the botnet built with Virut-infected machines, such as DDoS attacks, spam and data theft. The scale of the phenomenon was massive: in 2012 for Poland alone, over 890 thousand unique IP addresses were reported to be infected by Virut.
Since 2006, Virut has been one of the most disturbing threats active on the Internet. In late 2012 Symantec estimated the size of its botnet at 300,000 machines, while Kaspersky reported that Virut was responsible for 5.5% of infections in Q3 2012, making it the fifth most widespread threat of the time. Interestingly, Virut’s main distribution vector is executable file infection, and most users would get infected by using removable media or sharing files over networks. However, more recent versions of the malware have been capable of infecting HTML files, injecting an invisible iframe that would download Virut from a remote site. Once infected, a computer would connect to an IRC server controlled by the attacker and receive instructions to download and run arbitrary executable files (all without owner’s knowledge or consent). Effectively, Virut’s authors have converted those machines into zombies – elements of a botnet used for spamming, DDoS attacks and other malicious activities. According to Symantec, Virut has been recently used for distribution of Waledac – a long-time recognized spamming bot.
A number of domains in .pl, most notably zief.pl and ircgalaxy.pl, have been used to host Virut, its command & control IRC servers, as well as to host other malware including Palevo and Zeus. NASK, the operator of the Polish domain registry took over 23 of these domains yesterday (Jan 17, 2013) in an effort to protect Internet users from Virut-related threats. Name servers for those domains were changed to sinkhole.cert.pl, controlled by CERT Polska – an incident response team operated by NASK. NASK’s actions were supported by threat intelligence data from CERT Polska, VirusTotal and Spamhaus.