January 18, 2013

Security experts in Poland on Thursday quietly seized domains used to control the Virut botnet, a huge army of hacked PCs that is custom-built to be rented out to cybercriminals.

Source: Symantec

Source: Symantec

NASK, the domain registrar that operates the “.pl” Polish top-level domain registry, said that on Thursday it began assuming control over 23 .pl domains that were being used to operate the Virut network. The company has redirected traffic from those domains to sinkhole.cert.pl, a domain controlled by CERT Polska — an incident response team run by NASK. The company says it will be working with Internet service providers and security firms to help alert and clean up affected users.

“Since 2006, Virut has been one of the most disturbing threats active on the Internet,” CERT Polska wrote. “The scale of the phenomenon was massive: in 2012 for Poland alone, over 890 thousand unique IP addresses were reported to be infected by Virut.”

Some of the domains identified in the takedown effort — including ircgalaxy.pl and zief.pl — have been used as controllers for nearly half a decade. During that time, Virut has emerged as one of the most common and pestilent threats. Security giant Symantec recently estimated Virut’s size at 300,000 machines; Russian security firm Kaspersky said Virut was responsible for 5.5 percent of malware infections in the third quarter of 2012.

The action against Virut comes just days after Symantec warned that Virut had been used to redeploy Waledac, a spam botnet that was targeted in a high-profile botnet takedown by Microsoft in 2010.

SELF-PERPETUATING CRIME MACHINE

A file-infecting virus that has long been used to steal information from infected PCs, Virut is often transmitted via removable drives and file-sharing networks. But in recent years, it has become one of the most reliable engines behind massive  malware deployment systems known as pay-per-install (PPI) networks. One such example was “exerevenue.com,” a popular PPI network that once shared Internet resources with the aforementioned .pl domains.

exerevenuessPPI networks attract entrepreneurial malware distributors, hackers who are given custom “installer” programs that bundle malware and adware. In return, the distributors are paid a set amount for each 1,000 times their installer programs are run on new PCs. Access to the PPI networks is sold to miscreants in the underground, particularly spammers who are looking to increase the size of their spam botnets.  Those clients submit their malware—a spambot, fake antivirus software, or password-stealing Trojan—to the PPI service, which in turn charges varying rates per thousand successful installations, depending on the requested geographic location of the desired victims.

The Exerevenue.com PPI program died off in 2010, but cached copies of the site offer a fascinating glimpse into the Virut business model. The following snippet of text was taken from Exerevenue’s software end-user license agreement  (EULA, and yes, this malware had a EULA). It aptly described how Virut worked: As a file-infecting virus that injected copies of itself into all .EXE and .HTML files found on victim PCs. According to the Exerevenue administrators, the program’s installer relied on a trademarked “QuickBundle™” technology that bundled adware with other programs.

“3) The software will especially target .EXE and .HTML files in the process of bundling. Other types of files may also be affected. HTML files are bundled with adware indirectly, through Internet links, and it relies upon certain features of Web browsers that are often considered undesired. Therefore, you agree you will not deliver your bundled files to anyone who can be offended by the QuickBundle technology described earlier. In order to prevent a file from being bundled with adware, you can change its name to begin with PSTO or WINC (in case of .EXE and .SCR files) or change its extension (in case of .HTM(heart), .ASP, and .PHP files), for example to .TXT. Apart from enriching your files with ad-supported content, your Windows HOSTS file will be modified to block certain domains used for adware loading automatization.”

WHO IS  RUNNING VIRUT?
In 2007, researchers at malware research group Team Furry published a brain dump of information that they’d collected about the individuals they believed created and ran the Virut botnet. Team Furry pointed to several subdomains of zief.pl and ircgalaxy.pl that according to archive.org hosted a somewhat active user forum frequented by hackers who used the names “XMAX” and “Adx.” According to Team Furry, Adx was the hacker handle used by a computer whiz from Warsaw named Piotr Niżyński. Mr.Niżyński did not respond to multiple requests for comment.

It’s not clear how the actions by NASK will impact the long-term operations of the Virut botnet. Many of Virut’s control servers are located outside the reach of NASK, at Russian top-level domain name registrars (.ru). Also, Virut has a failsafe mechanism built to defeat targeted attacks on its infrastructure. In a blog post on Jan. 7, 2013, Symantec documented Virut’s domain name generation algorithm (DGA); should Virut-infected PCs be unable to reach their hard-coded controllers at ircgalaxy.pl and zief.pl, the malware is configured to check one of a possible 10,000 different domain names each day, generated according to algorithm built into the malware. Armed with this backup mechanism, the miscreants responsible for Virut in theory would need simply to register one of the DGA-designated domains to be able to re-establish communications and control over the botnet.


12 thoughts on “Polish Takedown Targets ‘Virut’ Botnet

    1. AndrzejL

      Now that’s funny… Botnet lovers disliked my previous post… 😉

      Teehee…

      Regards.

      Andrzej

  1. David M

    While it is nice to see CERT teams take down crap like this it would be nice to see other CERT teams involved in helping take these guys down , it would be nice to see other registars, ASN’s up and down stream providers and ICANN get involved way more than they are. If there was a lot more cooperation with law enforcment and some of the goverments involed where these are hosted, you could really do some damamge to the cyber criminals. The lack of a lot of co-operation is really why these guys can thrive and keep on going. It amazes me that the MPAA and RIAA can get the U.S. goverment to go after copyright infringers over music and movie downloads and strike co-operation agreements like the ones recenetly struck with Russia for prosecution in copyright cases, but I have to wonder why they dont put the effort in for cybercime that is costing more than copyright infringement is? Strikes me as odd, or maybe that is the Lobbyists working for those entities that know how to pull the strings to get things done. I’d sure like to see Cybercrime get a little more respect into shutting the bad guys down a lot faster and more preventive by getting ris of the malware friendly registers, ASN’s and bulletproof hosters… but I think this si better than nothing…good work cert.pl!

    1. Uzzi

      Sorry to say but your’re wrong: There’s heavy cooperation between NGOs, CERTs and authorities worldwide going on but it needs time and a lot of work to find, charge and convict a suspect. Took me two years of analysis and some luck to identify a bot herder and to convince state police to confiscate his machinery. He suicided a year and several month later – shortly before arraignment…
      …on the other hand you just need some scripts to handle several millions of copyright infringers, basically. And every copyright infringer pays the copyright mafia more profit than a legal customer does. You may call that a business plan.

      1. voksalna

        Uzzi,

        The way you put that it’s almost like you considered his suiciding a success story?

  2. Neej

    “Therefore, you agree you will not deliver your bundled files to anyone who can be offended by the QuickBundle technology described earlier.”

    Good to see them only infecting people who want their computer to become part of a spam spewing and God knows what else botnet!

    And here was me thinking they were just criminals infecting anyone they could.

  3. E.M.H.

    Wonder why they included a EULA? Either they thought it might absolve them in some nations of a crime, or they put it there as a joke. Either way, that’s an odd thing to do.

    Minute point, true, but still an odd one.

  4. RCL

    I wonder why botnet authors did not use Google as one of failsafe mechanisms. It’s not hard to search for a several uncommon fragments and probe the results for being C&C servers. Bots could have randomized search words from a larger body of text to avoid detection.

  5. Jay Pfoutz

    Brian! I went to Piotr’s profile on Facebook that you linked to, and saw the website he had listed: http://www.sysplex.pl

    I did Whois query on it. The nameservers at 89.163.172.186 have IP PTR pointing back to 148.81.111.111 which is the IP of irc.zief.pl.

    Hopefully that helps, if you didn’t realize it.

Comments are closed.