Virut is a botnet malware family that was first seen in 2006. The botnet was believed to have been mostly shut down by a Polish-led sinkhole operation in 2013. Some variants have been observed evading the sinkhole and distributing additional malware in November 2018.
Virut spreads by injecting code into any executable or screensaver file that is accessed. It also injects malicious iframes into HTML, PHP and ASP files. This means that Virut can be distributed to additional devices via network shares, removable drives and malvertising. The most recent variants inject code into the winlogon.exe process.
Virut is known to utilise a domain generation algorithm and an encrypted protocol with RSA signature verification for command and control signalling. When a communication link has been established using the most recent variants, the affected device is instructed to download a portable executable file. This attempts to drop further payloads over HTTP, using the user agent ‘AdInstall’.
Indicators of Compromise
SHA256 File Hashes
Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.