{
	"id": "b1bb0f04-2b93-49fd-83e3-50972ca3e4fe",
	"created_at": "2026-04-06T00:17:17.55977Z",
	"updated_at": "2026-04-10T03:20:28.138197Z",
	"deleted_at": null,
	"sha1_hash": "485f6a3042391c4a3738a29d3305c78f8fab3a00",
	"title": "Polish Takedown Targets ‘Virut’ Botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 184577,
	"plain_text": "Polish Takedown Targets ‘Virut’ Botnet\r\nPublished: 2013-01-18 · Archived: 2026-04-05 14:30:55 UTC\r\nSecurity experts in Poland on Thursday quietly seized domains used to control the Virut botnet, a huge army of\r\nhacked PCs that is custom-built to be rented out to cybercriminals.\r\nSource: Symantec\r\nNASK, the domain registrar that operates the “.pl” Polish top-level domain registry, said that on Thursday it began\r\nassuming control over 23 .pl domains that were being used to operate the Virut network. The company has\r\nredirected traffic from those domains to sinkhole.cert.pl, a domain controlled by CERT Polska — an incident\r\nresponse team run by NASK. The company says it will be working with Internet service providers and security\r\nfirms to help alert and clean up affected users.\r\n“Since 2006, Virut has been one of the most disturbing threats active on the Internet,” CERT Polska wrote. “The\r\nscale of the phenomenon was massive: in 2012 for Poland alone, over 890 thousand unique IP addresses were\r\nreported to be infected by Virut.”\r\nSome of the domains identified in the takedown effort — including ircgalaxy.pl and zief.pl — have been used as\r\ncontrollers for nearly half a decade. During that time, Virut has emerged as one of the most common and pestilent\r\nthreats. Security giant Symantec recently estimated Virut’s size at 300,000 machines; Russian security firm\r\nKaspersky said Virut was responsible for 5.5 percent of malware infections in the third quarter of 2012.\r\nThe action against Virut comes just days after Symantec warned that Virut had been used to redeploy Waledac, a\r\nspam botnet that was targeted in a high-profile botnet takedown by Microsoft in 2010.\r\nSELF-PERPETUATING CRIME MACHINE\r\nA file-infecting virus that has long been used to steal information from infected PCs, Virut is often transmitted via\r\nremovable drives and file-sharing networks. But in recent years, it has become one of the most reliable engines\r\nbehind massive  malware deployment systems known as pay-per-install (PPI) networks. One such example was\r\nhttps://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/\r\nPage 1 of 3\n\n“exerevenue.com,” a popular PPI network that once shared Internet resources with the aforementioned .pl\r\ndomains.\r\nPPI networks attract entrepreneurial malware distributors,\r\nhackers who are given custom “installer” programs that bundle malware and adware. In return, the distributors are\r\npaid a set amount for each 1,000 times their installer programs are run on new PCs. Access to the PPI networks is\r\nsold to miscreants in the underground, particularly spammers who are looking to increase the size of their spam\r\nbotnets.  Those clients submit their malware—a spambot, fake antivirus software, or password-stealing Trojan—to\r\nthe PPI service, which in turn charges varying rates per thousand successful installations, depending on the\r\nrequested geographic location of the desired victims.\r\nThe Exerevenue.com PPI program died off in 2010, but cached copies of the site offer a fascinating glimpse into\r\nthe Virut business model. The following snippet of text was taken from Exerevenue’s software end-user license\r\nagreement  (EULA, and yes, this malware had a EULA). It aptly described how Virut worked: As a file-infecting\r\nvirus that injected copies of itself into all .EXE and .HTML files found on victim PCs. According to the\r\nExerevenue administrators, the program’s installer relied on a trademarked “QuickBundle™” technology that\r\nbundled adware with other programs.\r\n“3) The software will especially target .EXE and .HTML files in the process of bundling. Other types of\r\nfiles may also be affected. HTML files are bundled with adware indirectly, through Internet links, and it\r\nrelies upon certain features of Web browsers that are often considered undesired. Therefore, you agree\r\nyou will not deliver your bundled files to anyone who can be offended by the QuickBundle technology\r\ndescribed earlier. In order to prevent a file from being bundled with adware, you can change its name to\r\nbegin with PSTO or WINC (in case of .EXE and .SCR files) or change its extension (in case of\r\n.HTM(heart), .ASP, and .PHP files), for example to .TXT. Apart from enriching your files with ad-supported content, your Windows HOSTS file will be modified to block certain domains used for\r\nadware loading automatization.”\r\nWHO IS  RUNNING VIRUT?\r\nIn 2007, researchers at malware research group Team Furry published a brain dump of information that they’d\r\ncollected about the individuals they believed created and ran the Virut botnet. Team Furry pointed to several\r\nsubdomains of zief.pl and ircgalaxy.pl that according to archive.org hosted a somewhat active user forum\r\nfrequented by hackers who used the names “XMAX” and “Adx.” According to Team Furry, Adx was the hacker\r\nhandle used by a computer whiz from Warsaw named Piotr Niżyński. Mr.Niżyński did not respond to multiple\r\nrequests for comment.\r\nhttps://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/\r\nPage 2 of 3\n\nIt’s not clear how the actions by NASK will impact the long-term operations of the Virut botnet. Many of Virut’s\r\ncontrol servers are located outside the reach of NASK, at Russian top-level domain name registrars (.ru). Also,\r\nVirut has a failsafe mechanism built to defeat targeted attacks on its infrastructure. In a blog post on Jan. 7, 2013,\r\nSymantec documented Virut’s domain name generation algorithm (DGA); should Virut-infected PCs be unable to\r\nreach their hard-coded controllers at ircgalaxy.pl and zief.pl, the malware is configured to check one of a possible\r\n10,000 different domain names each day, generated according to algorithm built into the malware. Armed with\r\nthis backup mechanism, the miscreants responsible for Virut in theory would need simply to register one of the\r\nDGA-designated domains to be able to re-establish communications and control over the botnet.\r\nSource: https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/\r\nhttps://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/"
	],
	"report_names": [
		"polish-takedown-targets-virut-botnet"
	],
	"threat_actors": [],
	"ts_created_at": 1775434637,
	"ts_updated_at": 1775791228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/485f6a3042391c4a3738a29d3305c78f8fab3a00.pdf",
		"text": "https://archive.orkl.eu/485f6a3042391c4a3738a29d3305c78f8fab3a00.txt",
		"img": "https://archive.orkl.eu/485f6a3042391c4a3738a29d3305c78f8fab3a00.jpg"
	}
}