Takeover of Virut domains

(Publication) Google search: [1]

Abstract

“ At the end of January and the beginning of February 2013 NASK (Research and Academic

Computer Network) { the .pl ccTLD Registry { and its security team CERT Polska took over 43 .pl domains used to control the Virut botnet and to spread malicious applications. These actions were preceded by a detailed legal and technical analyses and were supported by Spamhaus and VirusTotal. Some of these domains, even outside .pl domain, were an important part of the botnet infrastructure. As a result of these actions, all traffic from infected computers to the Command and Control servers were redirected to the sinkhole server controlled by CERT Polska. The action cripples criminals ability to control infected machines and allows to gather information about infected machines. This data is shared with all interested partners. From the gathered data, on average 270 thousand unique IP addresses connect to the botnet server every day, which is a good estimation of the botnet size at the day of takeover. Almost a half of infected machines are located in three countries: Egypt, Pakistan and India. Poland is located at the 19th place on the infection scale. This report presents the actions taken by NASK, methods used to gather data and their analysis, which offer additional insight into Virut activity, including a connection to the sale of fake antivirus applications.

Bibtex

 @misc{empty2013BFR1307,
   editor = {CERT Polska},
   author = {},
   title = {Takeover of Virut domains},
   date = {21},
   month = Feb,
   year = {2013},
   howpublished = {\url{http://www.cert.pl/news/6744/langswitch_lang/en}},
 }