Virut botnet report
At the end of January and the beginning of February 2013 NASK (Research and Academic Computer Network) — the .pl ccTLD Registry — and its security team CERT Polska took over 43 .pl domains used to control the Virut botnet and to spread malicious applications. As a result of this action, all traffic from infected computers to the Command and Control servers were redirected to the sinkhole server controlled by CERT Polska. Today, we publish a report with a detailed analysis of this traffic. Most important highlights from the report are:
- On average 270 thousand unique IP addresses connect to the botnet server every day.
- Almost a half of infected machines are located in three countries: Egypt, Pakistan and India.
- Poland is located at the 19th place on the infection scale.
- Virut criminal activity can also be connected with a FakeAV software.
- Some Virut bots implemented Domain Generation Algorithm and encryption, details of which can be found in the report.
- We were able to distinguish over 20 different versions of Virut malware.
- Virut infected machines with 8 different Windows versions, starting with Windows 98 up to Windows 8.