New Suspicious .pl subdomain on Virut CnC IP - Feb 5, 2014

Wed, Feb 5th, 2014

#DhiaLite - New suspicious .pl subdomain oglo.bandycituska.pl showed today Feb 5th with a spike in traffic. It first resolved to 188.40.65.209 then currently to 88.198.203.229
Its nameservers ns1.sysplex.pl and ns2.sysplex.pl are hosted on 188.40.65.209

188.40.65.209 has been flagged since Jan 26th by VT for hosting Virut CnC domains.
https://www.virustotal.com/en/ip-address/188.40.65.209/information/

#Sample domains on 188.40.65.209

oglo.bandycituska.pl
www.gazetaswiat.pl
bandycituska.pl
www.bandycituska.pl
ns1.sysplex.pl
ns2.sysplex.pl
old.sysplex.pl
www.sysplex.pl
sysplex.pl
u0a.cing.pl
tsm.lefi.pl
sp.iqchk.pl
sg.kerta.pl
ps.indab.pl
in.kolso.pl
hus.limp.pl
c7.polgo.pl

From the list the domains below are Virut CnC domains

u0a.cing.pl
tsm.lefi.pl
sp.iqchk.pl
sg.kerta.pl
ps.indab.pl
in.kolso.pl
hus.limp.pl
c7.polgo.pl

Reports about the CnCs
https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Virus:Win32/Virut.gen!AO#tab=2
http://www.threatexpert.com/report.aspx?md5=609ec646ed46ff0a59afb8b6251ad4af
http://www.threatexpert.com/report.aspx?md5=c8138ce6d2ae2c7ae14c1cde46fc8499

Some of the VT reports for samples communicating with the CnCs
https://www.virustotal.com/en/file/b0aa5fb7eae8bb5c39712110b2fb42127f7a20a3f0bb8bef22f46ec35b323ea4/analysis/
https://www.virustotal.com/en/file/9ca0c1890a418b1bef645cf9e6eb8ec9322dd541cc749269a9f9a34ed8f74acd/analysis/
https://www.virustotal.com/en/file/50fbcc2614914e0e2431a7af3a74a9e0865bd016dfebee916e7d2b978aae72e9/analysis/
https://www.virustotal.com/en/file/5ea1e4baf3c0ae980a8e4ce28c929a60b9ec357099ad30047906fc936f3603fa/analysis/
https://www.virustotal.com/en/file/a6d26c15503de6d600feae4c17af6a259b42732d825f1e3fef8fe0b1cdbb5a5e/analysis/
https://www.virustotal.com/en/file/286d972891d6b82bcc0dd7d088734e375678c7886a89817d8148a1161024b63a/analysis/