Report an incident
Back
  • About us
  • News
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Virut botnet report
21 February 2013 | CERT Polska | #botnet, #dga, #DNS, #malware, #raport, #sinkhole, #trojan

At the end of January and the beginning of February 2013 NASK (Research and Academic Computer Network) — the .pl ccTLD Registry — and its security team CERT Polska took over 43 .pl domains used to control the Virut botnet and to spread malicious applications. As a result of this action, all traffic from infected computers to the Command and Control servers were redirected to the sinkhole server controlled by CERT Polska.

Today, we publish a report with a detailed analysis of this traffic. Most important highlights from the report are:

    • On average 270 thousand unique IP addresses connect to the botnet server every day.
    • Almost a half of infected machines are located in three countries: Egypt, Pakistan and India.
    • Poland is located at the 19th place on the infection scale.
    • Virut criminal activity can also be connected with a FakeAV software.
    • Some Virut bots implemented Domain Generation Algorithm and encryption, details of which can be found in the report.
    • We were able to distinguish over 20 different versions of Virut malware.
    • Virut infected machines with 8 different Windows versions, starting with Windows 98 up to Windows 8.

Full text of the report can be found here or under the “Reports” tab.

Share: