The Ramnit botnet, a favorite among thieves dabbling in financial fraud for its frequent updates, has been shut down in a joint effort spearheaded by Europol’s European Cybercrime Centre (EC3).
In a statement today, EC3 said investigators from across Europe, along with Microsoft, AnubisNetworks and Symantec, carried out the operation, which shut down the botnet’s command and control infrastructure and redirected traffic from 300 domains used by Ramnit to domains controlled by authorities.
More than 3.2 million Windows computers have been infected by Ramnit, EC3 said. Ramnit was spread via spam campaigns, phishing scams and drive-by downloads, enticing victims to unwittingly install the malicious code. The attackers then had access to the infected machine and used it to steal primarily banking credentials, but also passwords for social networking accounts, FTP log-ins and more. Once the infected machine was backdoored, the malware also attempted to detect a long list of antivirus products running on zombie machines and turn off their detection capabilities.
Paul Gillen, head of operations at the cybercrime centre, told Reuters that the operation took down seven command and control servers.
“The criminals have lost control of the infrastructure they were using,” Gillen said.
Two years ago, Microsoft released an extensive report on Ramnit, noting how its operators had enhanced not only the evasion techniques protecting the malware, but also management of bots. New encryption routines were added that would not set off triggers in security software, for example.
Today’s takedown is the latest in a long line of botnet interventions carried out by law enforcement and private technology companies, in particular, Microsoft, which has a webpage available to help detect and remove Ramnit from infected machines.
“This successful operation shows the importance of international law enforcement working together with private industry in the fight against the global threat of cybercrime,” said Wil van Gemert, Europol deputy director of operations. “We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety of cybercrimes. Together with the EU Member States and partners around the globe, our aim is to protect people around the world against these criminal activities.”
For its part, Microsoft has been involved in a number of takedowns of prolific banking botnets, including Nitol, Zeus and GameOver Zeus last June; GOZ was responsible for distributing Cryptolocker ransomware. Another takedown last summer, however, was not without controversy, as Microsoft not only targeted the command and control infrastructure of a number of malware families, but also sought legal action against No-IP, a hosting provider. The action enabled Microsoft to sinkhole a number of domains hosted by No-IP, including a number of legitimate domains used by security researchers and other investigators. Microsoft eventually settled with No-IP and returned nearly two dozen seized domains.
Kaspersky Lab recently published a report on malware targeting financial data in which it said it detected 23 million attacks in 2014 that made use of banking Trojans and other financial malware such as Ramnit. The share of malware attacks targeting online banking credentials rose 8.9 percentage points making up 75.6 percent of all financial malware attacks in 2014, Kaspersky Lab said.
“It’s tempting to think that cybercriminals operate with impunity, but police agencies are able to disrupt the activities of cybercriminals,” said David Emm, principal security researcher with Kaspersky’s Global Research and Analysis Team. “International co-operation is particularly important, given the global nature of cybercrime.”