The guy(s) behind the Virut botnet have been doing their malicious deeds for a long time now. What puzzles me is that they are still using the same domain names as they did ages ago (zief.pl, ircgalaxy.pl and so on). There’s also some connection between the Virut gang and RBN, the blackest of the black ISPs.
So, I decided to dig in a bit to see if I could locate anything. First of all, one the guys running zief.pl and ircgalaxy.pl goes under the nickname xmax.
Here’s some info on him:
Interestingly, canpol.pl redirects to softland.pl
Google cache hit in fcliverpool.pl
Ok, let’s move on. Another guy involved with zief.pl and ircgalaxy.pl goes under the nickname adx. He also seems to be an asm-whiz. Here’s some information on him:
Realname: Piotr Niżyński
Where: Warszawa (Warsaw)
I’ll try to see if I can dig something up a little later, but meanwhile you can check this out:
Seems that the guys might be running a legitimate cover on their operations.
If you know a capable contact inside the Polish police forces you might point them to some of the information seen here. It would be high time to get these guys off the market.