1 Executive summary
At the end of January and the beginning of February 2013 NASK (Research and Academic
Computer Network) { the .pl ccTLD Registry { and its security team CERT Polska
took over 43 .pl domains used to control the Virut botnet and to spread malicious
applications. These actions were preceded by a detailed legal and technical analyses and
were supported by Spamhaus and VirusTotal. Some of these domains, even outside .pl
domain, were an important part of the botnet infrastructure. As a result of these actions,
all tra c from infected computers to the Command and Control servers were redirected
to the sinkhole server controlled by CERT Polska. The action cripples criminals ability
to control infected machines and allows to gather information about infected machines.
This data is shared with all interested partners. From the gathered data, on average 270
thousand unique IP addresses connect to the botnet server every day, which is a good
estimation of the botnet size at the day of takeover. Almost a half of infected machines
are located in three countries: Egypt, Pakistan and India. Poland is located at the 19th
place on the infection scale. This report presents the actions taken by NASK, methods
used to gather data and their analysis, which o er additional insight into Virut activity,
including a connection to the sale of fake antivirus applications.
read more....http://www.cert.pl/PDF/Report_Virut_EN.pdf