The Ramnit malware family has been given a facelift with new anti-detection capabilities, a troubleshooting module, as well as enhanced encryption and malicious payloads.

Tim Liu of the Microsoft Malware Protection Center said Ramnet resurfaced late last year and its keepers had stripped out all of its infection function and enhanced its botnet functionality.

“Ramnit is a frequently updated threat which gets updated by its developer every day,” Liu wrote in a blogpost yesterday.

Ramnit was detected in 2010 and has been proficient in stealing credentials, focusing primarily on online bank accounts, FTP log-ins and even Facebook passwords. Researchers at Seculert in January 2012 said the attackers behind a Ramnit variant in circulation at the time were testing the stolen Facebook credentials against online bank accounts, corporate email and VPN systems, hoping customers were re-using passwords on all platforms.

This time around, Ramnit has grown up with its latest iteration boasting four new upgrades, all bolstered by rootkit functionality that hides other components of the Ramnit from security software.

In addition, once Ramnit connects to its command and control server, the compromised computers making up the botnet are sent via the backdoor connection a long list of antivirus product process names.

“Once Ramnit receives the list, both the Ramnit user-mode and kernel-mode components will attempt to terminate any process with any of these names,” Liu said.

The botmaster also included a troubleshooting module similar to one used by the Necurs botnet. The troubleshooter looks for crashes by any of the malware’s modules, logs them and forwards the logs to the command and control server before uninstalling a buggy module.

“It looks like the troubleshooting module has become a common feature in recently developed botnets. The malware authors are analyzing the error reports and making the botnet component more stable,” Liu said.

Ramnit’s authors are intent on keeping its varied malware components from being detected. For example, new payload modules are encrypted on the command and control server using an RC4 algorithm. Before loading it, Ramnit decrypts the module in memory avoiding a typical DLL loading cycle that’s watched for by security tools.

“By doing it in this way, Ramnit avoids detections from AV products since the module file on the disk is encrypted by RC4 and the module after decryption is loaded as a Dll,” Liu said. “We also see this mechanism implemented in Necurs.”

The payload modules, in previous versions, were limited to a FTP credential grabber, a cookie information grabber, a VNC installation borrowed from the Zeus Trojan for remote access, as well as a Hook&Spy Module native to Zeus as well.  Hook&Spy, which is the data- and credential-stealing component, has been replaced by a custom-built one.

“By doing this, Ramnit finally has its own bank stealth module which can be updated by itself and does not rely on [Zeus] updates anymore,” Liu said.

A new payload module, Liu said, is called Antivirus Trusted Module v1.0; Ramnit kills all antivirus processes through this module, though only AVG AntiVirus 2013 has been moved into the module to date, Liu said.

Categories: Malware, Microsoft

Comments (4)

  1. Anonymous
    1

    ClamWin detects Ramnit in installed CS2 in Win 7 from Adobe’s site here

    adobe.com/downloads/cs2_downloads/index

    Reinstalled several times, so I know for sure it’s coming from here.

    It also got into Windows Live since the last update, so I don’t know if it came from a background connection or from the original infection.

  2. Anonymous
    2

    MSE, ClamWin and nor Malwarebytes don’t detect latest Ramnit nor W32.Perelett.15399, only a outside scan seems to detect Perelett.

  3. Anonymous
    4

    Indeed, the help center files that come bundled with the various CS2 installers (made available for a short time on adobe.com) are identified as Ramnit by ClamAV.  This hit occurs even on completely fresh systems, so either Adobe’s original installers are virus-ridden or, more likely, this is a false positive.  :)

    The MD5 checksums I have are as follows:

    208dbcefb0c9af09f2aed49fc373c41f  AXE8SharedExpat.dll

    56aaf7a6e4176baef27f61c003002b09  AXSLE.dll

    1c4d9fb3e6e71177bfe3b891da859eaa  BIB.dll

    15093df702bba974db95f68dc746b7fd  iaccore.dll

     

Comments are closed.