Polish CERT acts against Virut malware with domain takedowns

CERT Polska, a computer emergency response team in Poland that is run under the aegis of the country’s Research and Academic Network (NASK), has announced takedown action against a raft of web servers associated with the Virut family of malware.

Most zombies rely on connecting to so-called C&C (command-and-control) servers to find out what to do next.

So taking over some or all of those servers can make a big difference, at least temporarily, to the crooks’ ability to operate their botnets.

Every infected PC that crooks can no longer send on a criminal mission represents lost opportunity and lost revenue, and that hits them where it hurts: the pocket.

Why do bots need C&C servers?

Modern PCs are almost always behind some sort of network firewall or router, and can’t accept incoming network connections by default. Since the crooks can’t push instructions directly to their bots any more, they program the bots to pull commands from external C&C servers instead.

HTTP connections, similar to what web browsers and legitimate software updaters use unexceptionally, are commonly used. But instead of downloading the latest news or security patches, zombies download orders for their next burst of cybercriminality.

Example zombie commands might be: display these popup ads; send spam to this list of unsuspecting victims; scour your own hard disk for personal data; take a screenshot or, just like legitimate software, install an update.

When CERTs or a law enforcement take down C&C domains in their jurisdiction, they may also be able to turn those domains into what are known as sinkholes.

These can provide valuable insight into the extent and operation of botnets, as well as shielding victims from harm, because infected PCs start talking to the sinkholes instead of the crooks.

CERT Polska announced the sinkholing of 23 domain names, including zief.pl and ircgalaxy.pl, web properties that are broadly associated not just with Virut but also, the CERT says, Palevo and the infamous Zeus family of malware (also known as Zbot).

Botnet operators can be pretty brazen.

Brian Krebs, in a fascinating writeup of this takedown in a recent article, tracked down a cached copy of an End User Licence Agreement (EULA) from the now defunct website exerevenue.com, an affiliate network associated with the distribution and monetisation of Virut.

You read that correctly: a EULA for a virus infection.

The details are as astonishing as they are brazen. The act of infection, where malware spreads parasitically into other files on your PC, is referred to by the genteel name of bundling; the code that carries out the infection becomes the positive-souding QuickBundle technology; and infected files bring you the reassuring benefit of enriching your files with ad-supported content.

In a burst of irony that would be amusing if it were not also chilling, you are offically authorised – just about urged, in fact – to redistribute the software yourself, above and beyond its own viral replication. But there are limits to the criminals’ goodwill:

ExeRevenue grants you a non-exclusive license under the terms and conditions of this Agreement to install and use the Software in whichever version AND to redistribute it to any third party, assuming they do not reject this Agreement. One exception is that you are absolutely NOT ALLOWED TO DISTRIBUTE the Software to computer security organizations, and to any person or organization who tries to enforce policies about what can and what cannot exist in the Internet.

Faced with that sort of arrogance, the intervention of CERTs and law enforcement in this sort of takedown has to be applauded.

The benefits of a takedown are usually fairly brief, because the crooks, sadly, just move somewhere else, and may even program their malware with an automatic system for finding new C&C servers.

But you have to start somewhere, and every takedown demarcates a part of the internet where the Good Guys have said, “No more!”

If nothing else, this sends a message to the sort of fringe-dwelling ISP that is willing to take dirty money by looking the other way to cybercriminality.

You’ll find a brief history of many well-known takedowns on Naked Security.

Some good examples include: McColo and its aftermath; the Nitol takedown and the settlement that followed; Mariposa (Spanish for butterfly, the name of one of its C&C servers), a takedown also related to the Palevo malware mentioned above; and last, but by no means least, Kim Dotcom’s Megaupload.