The Polish Research and Academic Computer Network (NASK), the national registry of the .pl domain and founder of CERT Polska, has announced on Friday that they took over 23 domains that served as C&C servers for the Virut botnet.
“The scale of the phenomenon was massive: in 2012 for Poland alone, over 890 thousand unique IP addresses were reported to be infected by Virut,” claims CERT Polska. “Since 2006, Virut has been one of the most disturbing threats active on the Internet. In late 2012 Symantec estimated the size of its botnet at 300,000 machines, while Kaspersky reported that Virut was responsible for 5.5% of infections in Q3 2012, making it the fifth most widespread threat of the time.”
Among the domains the incident response team took over and sinkholed were also a few .pl domains previously used to host the Virut malware, its C&C IRC servers, and even Zeus and Palevo malware.
The Virut malware has, in the past, been mostly distributed via infected removable media and file sharing. But more recent version are capable of infecting HTML files, injecting an invisible iframe that would download Virut from a remote site, say the researchers.
Computers enslaved in the Virut botnet were used for spamming, DDoS attack, malware propagation, and similar malicious activities.