At the end of January and the beginning of February 2013 NASK (Research and Academic Computer Network) — the .pl ccTLD Registry — and its security team CERT Polska took over 43 .pl domains used to control the Virut botnet and to spread malicious applications. As a result of this action, all traffic from infected computers to the Command and Control servers were redirected to the sinkhole server controlled by CERT Polska.



Today, we publish a report with a detailed analysis of this traffic. Most important highlights from the report are:

On average 270 thousand unique IP addresses connect to the botnet server every day.



Almost a half of infected machines are located in three countries: Egypt, Pakistan and India.



Poland is located at the 19th place on the infection scale.



Virut criminal activity can also be connected with a FakeAV software.



Some Virut bots implemented Domain Generation Algorithm and encryption, details of which can be found in the report.



We were able to distinguish over 20 different versions of Virut malware.



Virut infected machines with 8 different Windows versions, starting with Windows 98 up to Windows 8.

Full text of the report can be found here or under the “Reports” tab.