Virut Botnet

Virut is a botnet malware family that was first seen in 2006. The botnet was believed to have been mostly shut down by a Polish-led sinkhole operation in 2013. Some variants have been observed evading the sinkhole and distributing additional malware in November 2018.

Virut spreads by injecting code into any executable or screensaver file that is accessed. It also injects malicious iframes into HTML, PHP and ASP files. This means that Virut can be distributed to additional devices via network shares, removable drives and malvertising. The most recent variants inject code into the winlogon.exe process.

Virut is known to utilise a domain generation algorithm and an encrypted protocol with RSA signature verification for command and control signalling. When a communication link has been established using the most recent variants, the affected device is instructed to download a portable executable file. This attempts to drop further payloads over HTTP, using the user agent ‘AdInstall’.

Indicators of Compromise

Domains

  • ffiuli[.]com
  • gik.alr4[.]ru
  • lexfal[.]com
  • sexpsa[.]com
  • static.76.102.69[.]159.clients.your-server[.]de
  • tbsgay[.]com
  • volmio[.]com

IP Addresses

  • 77.73.69[.]179
  • 148.251.79[.]206
  • 159.69.102[.]76
  • 212.109.221[.]97

SHA256 File Hashes

  • 054eeaa9f120f3613cf06ad010c58adf025c4f8c03dcc6da6acd567be27e87aa
  • fb0852761cfb7bfa34be168452891d5849574254f8623192798f1c03c2777688
  • 781c12e2ab1c08d885c002eee8ef9c03e92c9c196fe5a576399080d10fbaa693
  • 6dadd08b523be5bc41162cd4ca35afabd4c847733ad8df88362de1ee3b383e96

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: