Insights into Shutting Down the Virut Botnet

Virut is a Windows file infector that propagates by infecting executable and Web-related files (such as .html, .php or .asp files). Its payload runs as a remote thread inside winlogon.exe, a well-known, critical Windows process.
The payload does two things:

It infects other files.

It connects to a command and control (C&C) server.

The C&C server is established over IRC. The IRC host names and ports are hardcoded inside the virus body, and may be updated during propagation. Based on variants, the protocol details vary. For instance, Virut may connect to a high TCP port and use encryption (custom symmetric algorithm). Beneath the encrypted layer are standard IRC commands. It’s worth noting that the key is never directly exchanged between the client and its server. This means the server has to bruteforce it, using a known-plaintext/known-ciphertext attack on the initial IRC nickname (NICK) request.
Other versions do not encrypt the communication channel and may use the HTTP port to evade firewalls that do not check packets at the application level. Either way, at the IRC level the protocol details are as follows. First, the client initiates a connection by sending NICK/USER commands:
NICK
USER . . :
For instance:
NICK qjhfdskj
USER d020501 . . :%111111118 Service Pack 2
It then decrypts a hard-coded channel name embedded in the virus body, and joins it:
JOIN #.
The bot then waits for IRC requests (continue reading...)