Ramnit infected 3.2 million computers across the world

Feb 25, 2015 16:56 GMT  ·  By

A botnet created with Ramnit malware that infected 3.2 million computers across the world has been disrupted in a joint effort led by Europol’s European Cybercrime Centre (EC3) with assistance from several private security companies.

During the operation, 300 command and control (C&C) servers used by the cybercriminals behind the malware were sinkholed with the help of Microsoft, Symantec and AnubisNetworks.

Old worm learns new tricks

Ramnit has been around since April 2010, when it emerged as a worm that spread aggressively, infecting EXE, DLL, HTM, and HTML files available on local hard disks, as well as on any removable storage drives connected to the compromised computer.

Over the years, it evolved and added new modules from the code of Zeus banking Trojan, leaked in May 2011. Between September and the end of December 2011, Seculert found about 800,000 computers infected with Ramnit.

“This development transformed the Ramnit botnet into a vast cybercrime empire, spanning up to 350,000 compromised computers at present,” Symantec said on Wednesday.

The latest variant includes six modules that allow the cybercriminals to collect online banking log-in credentials, passwords, cookies and files from the infected system.

It can monitor web browsing sessions and identify web pages of financial institutions of interest. Ramnit integrates web injection capabilities to alter the bank’s website and make it appear to the victim that additional information is required to log into the account; all the data is then uploaded to the C&C controlled by the attackers.

Another way to gain access to the compromised system is a VNC module, according to Symantec, which provides remote access.

Malware available both in memory and on the hard disk

Ramnit was believed to no longer present a threat, especially since most antivirus products had included detection for it, but telemetry data from Symantec revealed that infections continued through 2014, 6,700 new ones being recorded in November.

The researchers say that the persistence method Ramnit relied on consisted in placing a copy of the malware both on the hard disk and in the memory. If the variant on the disk got removed, the one in the memory would drop a new copy.

Telemetry data from Symantec shows that the most affected countries are India (27%), Indonesia (18%), Vietnam (12%), Bangladesh (9%), the US (6%), and the Philippines (5%).

However, given that the botnet takedown is an Europol operation, most of the infected computers are likely located in Europe, where the security company has lower visibility.