Security researchers were able to decommission a number of domain names used by cyber crook s to load the Virut malware into computers, according to international non-profit, anti-spam organization The Spamhous Project Ltd.

Spamhous said the Virut botnet has been dropping the ZeuS , e-banking Trojan and the Kehilios spambot onto Virut infected computers as part of the crime ring’s “Pay Per Install” business model where other cyber criminals pay the Virut botmasters to install their own virus on Virut-infected machines.

Spamhouse worked with the Polish Computer Emergency Response Team (, NASK, the domain registrar and Group-IB a Russian information security firm in the crackdown.

“NASK has taken over multiple domain names used for criminal activities, making their further usage for illegal purposes impossible,” CERT Poland said in a statement on its Web site. “The domain names were used to spread and control a dangerous malware known as ‘Virut’.”

Virut has been one of the most “disturbing threats” in the Internet since 2006, according to CERT.


Malware targets Java HTTP servers
Mass mailers, Trojans continue to appear in malware

Spamhous said Virut is a worm that typically spreads through removable drives such as USB sticks and network shares but can also proliferate via file infection. It is estimated to have infected no less than 300,000 computers.

Among the domain names used by cyber criminals to distribute Virut are “mainly within the .pl ccTLD (poland), but also within the .ru ccTLD (Russia) and the .at ccTLD (Austria),” said Spamhous in a statement. “These domains are registered by the operators of Virut to control the botnet.”

Read the rest of Spamhous’ report here