So, who is behind Virut?
The guy(s) behind the Virut botnet have been doing their malicious deeds for a long time now. What puzzles me is that they are still using the same domain names as they did ages ago (zief.pl, ircgalaxy.pl and so on). There’s also some connection between the Virut gang and RBN, the blackest of the black ISPs.
So, I decided to dig in a bit to see if I could locate anything. First of all, one the guys running zief.pl and ircgalaxy.pl goes under the nickname xmax.
Here’s some info on him:
He’s a half-op on PolNet (forum.ircnet.pl)
Birthdate claimed to be 17 Lut 1989 (February 17th 1989)
Name and surname: Max S (from Jabberpl)
Where: Kamienna Góra (from FCLiverPool.pl)
Email addresses:
xmax@canpol.pl
xmax@chrome.pl
Interestingly, canpol.pl redirects to softland.pl
LINKS:
http://forum.ircnet.pl/profile.php?mode=viewprofile&u=369&sid=8be147989567657c04b4504b0fa25eba
http://xmax.jogger.pl
http://www.last.fm/user/xmax/
http://jaggedalliance.pl/forum/profiles/814.htm
http://www.kamienna-gora.pl/en/index.html
Google cache hit in fcliverpool.pl
http://grono.net/pub/u/4424/
Ok, let’s move on. Another guy involved with zief.pl and ircgalaxy.pl goes under the nickname adx. He also seems to be an asm-whiz. Here’s some information on him:
Nickname: adx
Realname: Piotr Niżyński
Where: Warszawa (Warsaw)
Email Addresses:
adx@zief.pl
adx@crashnet.pl
adx@bezduszni.pl
adx@irc7.pl
Various links:
http://forum.ircnet.pl/viewtopic.php?p=19908&sid=c1b71d4a7e8d00c3db973dba524c7ac1
http://209.85.129.104/search?q=cache:kbBMbZ7QY8cJ:www.ksiazki.com/pl.irc_60.html+adx+zief&hl=fi&ct=clnk&cd=2&gl=fi
http://www.antywir.pl/post1039.html
http://www.adx.irc7.pl/
http://forum.ircnet.pl/profile.php?mode=viewprofile&u=740&sid=e3c8945c1eb2468be559683659f49586
http://www.grupy.waw.pl/stats-21961.html
I’ll try to see if I can dig something up a little later, but meanwhile you can check this out:
http://209.85.129.104/search?q=cache:mgPye9UW60UJ:www.htn.pl/index.html%3Fid%3D8+%22Piotr+Ni%C5%BCy%C5%84ski%22&hl=fi&ct=clnk&cd=10&gl=fi
Seems that the guys might be running a legitimate cover on their operations.
If you know a capable contact inside the Polish police forces you might point them to some of the information seen here. It would be high time to get these guys off the market.
January 18th, 2013 at 7:08 pm
[…] IS RUNNING VIRUT? In 2007, researchers at malware research group Team Furry published a brain dump of information that they’d collected about the individuals they believed created and ran the Virut botnet. […]
January 18th, 2013 at 10:30 pm
[…] IS RUNNING VIRUT? In 2007, researchers at malware research group Team Furry published a brain dump of information that they’d collected about the individuals they believed created and ran the Virut botnet. Team […]
January 19th, 2013 at 1:11 am
[…] IS RUNNING VIRUT? In 2007, researchers at malware research group Team Furry published a brain dump of information that they’d collected about the individuals they believed created and ran the Virut botnet. […]
January 19th, 2013 at 4:24 am
[…] IS RUNNING VIRUT? In 2007, researchers at malware research group Team Furry published a brain dump of information that they’d collected about the individuals they believed created and ran the Virut botnet. Team […]
January 22nd, 2013 at 10:40 am
[…] polnischen CERT ist Virut seit 2006 bekannt. Der Forschergruppe Team Furry zufolge wurde das Botnetz von zwei Polen aufgebaut. Derzeit wird es in erster Linie benutzt, um […]
January 28th, 2013 at 2:51 am
[…] to botnet stworzony przez polskich programistów (według teamfurry.com jeden jest mieszkańcem Kamiennej Góry, natomiast drugi Warszawy), który zaraził około 300 […]
February 11th, 2013 at 12:33 am
[…] Viruta próbowano namierzyć już w 2007 roku. Według informacji Teamfurrywłaścicielami botnetu mają być dwaj […]