The Ramnit malware family has been given a facelift with new anti-detection capabilities, a troubleshooting module, as well as enhanced encryption and malicious payloads.
Tim Liu of the Microsoft Malware Protection Center said Ramnet resurfaced late last year and its keepers had stripped out all of its infection function and enhanced its botnet functionality.
“Ramnit is a frequently updated threat which gets updated by its developer every day,” Liu wrote in a blogpost yesterday.
Ramnit was detected in 2010 and has been proficient in stealing credentials, focusing primarily on online bank accounts, FTP log-ins and even Facebook passwords. Researchers at Seculert in January 2012 said the attackers behind a Ramnit variant in circulation at the time were testing the stolen Facebook credentials against online bank accounts, corporate email and VPN systems, hoping customers were re-using passwords on all platforms.
This time around, Ramnit has grown up with its latest iteration boasting four new upgrades, all bolstered by rootkit functionality that hides other components of the Ramnit from security software.
In addition, once Ramnit connects to its command and control server, the compromised computers making up the botnet are sent via the backdoor connection a long list of antivirus product process names.
“Once Ramnit receives the list, both the Ramnit user-mode and kernel-mode components will attempt to terminate any process with any of these names,” Liu said.
The botmaster also included a troubleshooting module similar to one used by the Necurs botnet. The troubleshooter looks for crashes by any of the malware’s modules, logs them and forwards the logs to the command and control server before uninstalling a buggy module.
“It looks like the troubleshooting module has become a common feature in recently developed botnets. The malware authors are analyzing the error reports and making the botnet component more stable,” Liu said.
Ramnit’s authors are intent on keeping its varied malware components from being detected. For example, new payload modules are encrypted on the command and control server using an RC4 algorithm. Before loading it, Ramnit decrypts the module in memory avoiding a typical DLL loading cycle that’s watched for by security tools.
“By doing it in this way, Ramnit avoids detections from AV products since the module file on the disk is encrypted by RC4 and the module after decryption is loaded as a Dll,” Liu said. “We also see this mechanism implemented in Necurs.”
The payload modules, in previous versions, were limited to a FTP credential grabber, a cookie information grabber, a VNC installation borrowed from the Zeus Trojan for remote access, as well as a Hook&Spy Module native to Zeus as well. Hook&Spy, which is the data- and credential-stealing component, has been replaced by a custom-built one.
“By doing this, Ramnit finally has its own bank stealth module which can be updated by itself and does not rely on [Zeus] updates anymore,” Liu said.
A new payload module, Liu said, is called Antivirus Trusted Module v1.0; Ramnit kills all antivirus processes through this module, though only AVG AntiVirus 2013 has been moved into the module to date, Liu said.