In the past, we have written about the file infector known as W32.Virut. We have even provided insight into trying to shut the botnet down. Due to a recent judicial proceeding causing a temporary outage of the Virut command-and-control (C&C) server domains, we were able to gather information on the size and demographics of the botnet by predicting and sinkholing the random domain generator backup. Unfortunately the outage was only temporary, and Virut continues to remain active.
Hardcoded servers and domain generation
Among the C&C servers used by W32.Virut, the domains irc.zief.pl and proxim.ircgalaxy.pl are used by the threat in order to receive instructions. However, recent versions have also included a domain generator backup that is used if the hardcoded servers cannot be reached. Symantec's monitoring of Virut observed the long-running Virut C&C domains stopped responding to connecting clients around mid-November 2012, and had a corresponding registrar status change:
Figure 1. Status of known Virut C&C servers changed to “undergoing proceeding”
According to the Domain Name Registry in Poland, if a domain contains the status “is undergoing proceeding” then that means the domain is undergoing a judicial proceeding. Similar changes were observed for other Virut domains.
Sinkholing generated domains
As a result of the C&C servers no longer responding to connecting clients, the Virut clients began using the random domain generator backup. Symantec took advantage of this opportunity to research the domain generator used by Virut and begin sinkholing domains in order to get an estimate of the botnet size.
We managed to sinkhole domains for a period of three days and gathered statistics based on the connections made.
Statistics on Virut botnet
Figure 2. Virut global detections, based on sinkhole data
While Virut detections are spread over the globe, the data indicates concentrations in Egypt, the Indian subcontinent, and Indonesia:
Figure 3. Breakdown of Virut botnet by country
Based on the sinkhole data obtained, the Virut botnet is estimated at approximately 308,000 unique compromised computers that are active on a given day. This estimate is conservative since computers turned off or disconnected from the internet for a given day are not included.
Hardcoded domains return
In early December 2012, WHOIS information for the zief.pl domain showed a status change away from "undergoing proceeding".
Figure 4. Known Virut C&C server domain now parked as fastpark.net
This domain was parked on December 12. A short time later, the status of the both zief.pl and ircgalaxy.pl domains changed again:
Figure 5. Both zief.pl and ircgalaxy.pl domains back online
On December 26, both hardcoded C&C servers were back online and, on December 28, we began seeing new payloads being pushed to clients in the Virut botnet.
Virut has been observed pushing out many payloads with the functionality to send out email spam for advertisements and fraud, to send emails with malicious attachments pretending to be from the U.S. Postal Service, to perform click fraud, to host an Internet proxy service on the compromised machine, and more. This is nasty malware.
In summary, the hardcoded servers used by Virut were taken offline and the fallback domain generation was resorted to. This fallback algorithm allowed us to gather statistics on the botnet and estimate the size as approximately 308,000 unique Virut clients active in a single day. However, the original hardcoded servers were not permanently taken offline—they came back online in late December—and started distributing new payloads once again, meaning that the botnet remains active.