Polish registrar NASK has seized domains used by Virut, a botnet thought to include an estimated 300,000 zombie PCs.
NASK took the action late last week--the first time the registrar has taken such steps against infected domains--after being approached by anti-spam organisation Spamhaus. Spamhaus has also contacted Austrian and Russian CERT organisations to de-activate Virut servers outside Poland.
NASK reports that it sinkholed 23 domain names. As well as the domain seizures, Virut's two command and control servers were also deactivated.
The Virut botnet was ranked fifth in the world in terms of infections, NASK and CERT Poland said, citing a statistic from antivirus company Kaspersky Lab. Virut is thought to have infected machines associated with 890,000 unique IP addresses during 2012 in Poland alone, NASK said.
The revenue generated by Virut is estimated at around 1 million zloty (€250,000), according to prominent Polish security blog Niebezpiecznik, while Virut even came with its own end user licence agreement (EULA), as security blogger Brian Krebs found out.
Virut has been on the radar of the Polish CERT since 2006. According to Team Furry, a research group, the botnet was created by two Poles, and it is now used to send spam, carry out DDoS attacks, and steal data. While the identities of those behind the botnet have been known since 2007, no legal action has been taken against them.
Virut may now be working in conjunction with the Russian Waledac botnet, Symantec believes. Despite Waledac being publicly killed off in early 2010, there is evidence that the botnet has been reactivated: the Virut virus now appears to also be downloading variants of the Waledac worm onto compromised PCs. According to Niebezpiecznik, the Waledac-Virut combination is able to send 3.6 billion spam emails every 24 hours.