Virut botnet report

Date of publication: 21/02/2013, CERT Polska

At the end of January and the beginning of February 2013 NASK (Research and Academic Computer Network) — the .pl ccTLD Registry — and its security team CERT Polska took over 43 .pl domains used to control the Virut botnet and to spread malicious applications. As a result of this action, all traffic from infected computers to the Command and Control servers were redirected to the sinkhole server controlled by CERT Polska.

Today, we publish a report with a detailed analysis of this traffic. Most important highlights from the report are:

    • On average 270 thousand unique IP addresses connect to the botnet server every day.
    • Almost a half of infected machines are located in three countries: Egypt, Pakistan and India.
    • Poland is located at the 19th place on the infection scale.
    • Virut criminal activity can also be connected with a FakeAV software.
    • Some Virut bots implemented Domain Generation Algorithm and encryption, details of which can be found in the report.
    • We were able to distinguish over 20 different versions of Virut malware.
    • Virut infected machines with 8 different Windows versions, starting with Windows 98 up to Windows 8.

Full text of the report can be found here or under the “Reports” tab.