Poland’s national NASK domain registrar has taken control of 23 domains it said were being used to support the Virus botnet has been attempting to resurrect the tenacious Waledec/Kelihos bot severely damaged by Microsoft in 2011.
Virut itself is relatively modest on the botnet scale at any one moment in time, with perhaps 300,000 clients in its grip, but it has proved incredibly resilient, having survived attempts to shut it down since appearing in 2006.
It is also virulent, NASK said, having infected 890,000 IP addresses during 2012 in Poland alone, which means it is able to keep finding new machines to infect even as previously infected ones are detected.
In addition to the sinkholing of the domains, NASK said it had disrupted Virut’s command control infrastructure, which will put the bot on the slide for the timebeing at least.
As to what Virut has been used for, it would be easier to name the scams and malware it hasn’t been involved with. NASK mentions spam, DDoS, and malware such as Zeus (a rapacious bank Trojan) and the Palevo worm, not to mention pay-per-install malware campaigns. But it is its possible involvement in attempting to revive the defunct Waledec (aka Kelihos) botnet that is the most intriguing.
According to a report from Symantec last week, Waledac.D had recently been on an upswing as a spam platform, with Virut suspected as the distribution mechanism. The best way to heal a broken botent? Using another botnet apparently.
This will dismay bot-hunters that had thought this particular nasty might be gone for good after a notable operation called ‘b49’ in which Microsoft shuttered the whole C&C and its associated domain infrastructure in a matter of weeks during 2011.
Since that time, Kelihos has tried to rise again but has struggled to make much impression, until now. Symantec said the number of infected machines was around the 80,000 mark, which suggests the bot was gaining traction.
Redmond’s lawyers later accused a named Russian as being behind Kelihos/Waledec, a charge denied by the individual concerned. Unusually, the company later backed down on the accusation.
NASK's actions are a welcome if unexpected event, apparently carried out with the help of Spamhaus and VirusTotal.