Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/cache.php on line 36

Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/query.php on line 21

Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/theme.php on line 508

Deprecated: Function split() is deprecated in /home/teamfurr/public_html/wordpress/wp-content/plugins/inspector-wordpress/InspectorWordpress.php on line 110
MW-Blog » Blog Archive » So, who is behind Virut?

So, who is behind Virut?

The guy(s) behind the Virut botnet have been doing their malicious deeds for a long time now. What puzzles me is that they are still using the same domain names as they did ages ago (zief.pl, ircgalaxy.pl and so on). There’s also some connection between the Virut gang and RBN, the blackest of the black ISPs.

So, I decided to dig in a bit to see if I could locate anything. First of all, one the guys running zief.pl and ircgalaxy.pl goes under the nickname xmax.

Here’s some info on him:

He’s a half-op on PolNet (forum.ircnet.pl)
Birthdate claimed to be 17 Lut 1989 (February 17th 1989)
Name and surname: Max S (from Jabberpl)
Where: Kamienna Góra (from FCLiverPool.pl)

Email addresses:

xmax@canpol.pl
xmax@chrome.pl

Interestingly, canpol.pl redirects to softland.pl

LINKS:

http://forum.ircnet.pl/profile.php?mode=viewprofile&u=369&sid=8be147989567657c04b4504b0fa25eba
http://xmax.jogger.pl
http://www.last.fm/user/xmax/
http://jaggedalliance.pl/forum/profiles/814.htm
http://www.kamienna-gora.pl/en/index.html
Google cache hit in fcliverpool.pl
http://grono.net/pub/u/4424/

Ok, let’s move on. Another guy involved with zief.pl and ircgalaxy.pl goes under the nickname adx. He also seems to be an asm-whiz. Here’s some information on him:

Nickname: adx
Realname: Piotr Niżyński
Where:
Warszawa (Warsaw)

Email Addresses:

adx@zief.pl
adx@crashnet.pl
adx@bezduszni.pl
adx@irc7.pl

Various links:

http://forum.ircnet.pl/viewtopic.php?p=19908&sid=c1b71d4a7e8d00c3db973dba524c7ac1
http://209.85.129.104/search?q=cache:kbBMbZ7QY8cJ:www.ksiazki.com/pl.irc_60.html+adx+zief&hl=fi&ct=clnk&cd=2&gl=fi
http://www.antywir.pl/post1039.html
http://www.adx.irc7.pl/
http://forum.ircnet.pl/profile.php?mode=viewprofile&u=740&sid=e3c8945c1eb2468be559683659f49586
http://www.grupy.waw.pl/stats-21961.html

I’ll try to see if I can dig something up a little later, but meanwhile you can check this out:

http://209.85.129.104/search?q=cache:mgPye9UW60UJ:www.htn.pl/index.html%3Fid%3D8+%22Piotr+Ni%C5%BCy%C5%84ski%22&hl=fi&ct=clnk&cd=10&gl=fi

Seems that the guys might be running a legitimate cover on their operations.

If you know a capable contact inside the Polish police forces you might point them to some of the information seen here. It would be high time to get these guys off the market.

8 Responses to “So, who is behind Virut?”

  1. Polish Takedown Targets ‘Virut’ Botnet — Krebs on Security Says:

    […] IS  RUNNING VIRUT? In 2007, researchers at malware research group Team Furry published a brain dump of information that they’d collected about the individuals they believed created and ran the Virut botnet. […]

  2. Polish Takedown Targets ‘Virut’ Botnet « Geekpolitic : on Freedom, Privacy and Security Says:

    […] IS  RUNNING VIRUT? In 2007, researchers at malware research group Team Furry published a brain dump of information that they’d collected about the individuals they believed created and ran the Virut botnet. Team […]

  3. Polish Takedown Targets ‘Virut’ Botnet | Secure Lagos Says:

    […] IS  RUNNING VIRUT? In 2007, researchers at malware research group Team Furry published a brain dump of information that they’d collected about the individuals they believed created and ran the Virut botnet. […]

  4. Polish Takedown Targets ‘Virut’ Botnet | My Blog Says:

    […] IS  RUNNING VIRUT? In 2007, researchers at malware research group Team Furry published a brain dump of information that they’d collected about the individuals they believed created and ran the Virut botnet. Team […]

  5. Polnischer Registrar beschlagnahmt Domains des Botnetzes Virut Says:

    […] polnischen CERT ist Virut seit 2006 bekannt. Der Forschergruppe Team Furry zufolge wurde das Botnetz von zwei Polen aufgebaut. Derzeit wird es in erster Linie benutzt, um […]

  6. NASK atakuje botnet Virut. Przejmuje domeny z nim związane | Says:

    […] to botnet stworzony przez polskich programistów (według teamfurry.com jeden jest mieszkańcem Kamiennej Góry, natomiast drugi Warszawy), który zaraził około 300 […]

  7. NASK przejmuje domeny polskiego botnetu Virut | wordpress Says:

    […] Viruta próbowano namierzyć już w 2007 roku. Według informacji Teamfurrywłaścicielami botnetu mają być dwaj […]

  8. 0rz.tw Says:

    0rz.tw…

    MW-Blog » Blog Archive » So, who is behind Virut?…

If you want to comment on this article please send e-mail
to authors(_at_)teamfurry.com or go to the forums.


InspectorWordpress has prevented 27 attacks.