Virut botnet report

At the end of January and the beginning of February 2013 NASK (Research and Academic Computer Network) — the .pl ccTLD Registry — and its security team CERT Polska took over 43 .pl domains used to control the Virut botnet and to spread malicious applications. As a result of this action, all traffic from infected computers to the Command and Control servers were redirected to the sinkhole server controlled by CERT Polska. Today, we publish a report with a detailed analysis of this traffic. Most important highlights from the report are:

  • On average 270 thousand unique IP addresses connect to the botnet server every day.
  • Almost a half of infected machines are located in three countries: Egypt, Pakistan and India.
  • Poland is located at the 19th place on the infection scale.
  • Virut criminal activity can also be connected with a FakeAV software.
  • Some Virut bots implemented Domain Generation Algorithm and encryption, details of which can be found in the report.
  • We were able to distinguish over 20 different versions of Virut malware.
  • Virut infected machines with 8 different Windows versions, starting with Windows 98 up to Windows 8.

Full text of the report can be found here or under the “Reports” tab.

Tags: , , , , , , , , ,

Comments are closed.