Ramnit Worm Evolves Into Financial Malware

The Ramnit worm, known by researchers for its use of somewhat old-school malicious techniques, has now changed some of its tactics and morphed into financial malware, researchers say.

The Ramnit worm, known by researchers for its use of somewhat old-school malicious techniques, has now changed some of its tactics and morphed into financial malware, researchers say.

As of now, researchers at Trusteer say they have no way of determining whether Ramnit has actually changed, or if it is just being used as a platform to commit financial fraud.

According to the report, Ramnit seems to be acting like a fairly standard piece of financial malware, with a man-in-the-middle Web injection module, which allows the malware to invisibly modify client-side Web pages and transactional details. Meanwhile, Ramnit is constantly communicating with its command and control server via SSL, reporting its status and receiving updates.

In the process of analyzing Ramnit, Trusteer researchers determined that its configuration is very similar to that of the more famous Zeus and SpyEye exploit kits. In fact, they discovered an individual component within Ramnit, titled Zeus, which led them to believe that Ramnit’s maintainers are incorporating parts of Zeus into their malware.

“Ramnit’s authors followed the standard approach of malicious financial
activities, supporting all basic features required for well-bred
financial malware. The malware includes a Man-in-the-Browser (MitB) web
injection module, which enables Ramnit to modify web pages
(client-side), modify transaction content, insert additional
transactions, etc. – all in a completely covert fashion invisible to
both the user and host application,” the Trusteer researchers said.

Thus far, Trusteer lists the known components of Ramnit as follows:

Proprietary “windows installer” (download and execute), hooker & MITB web injects (Zeus bundle), FTP grabber, FTP server, cookie grabber, and anti debugging/anti AV.

As Ramnit has been around since January of 2010, it shouldn’t be an issue for anyone running an up-to-date anti-virus program.

Suggested articles