Small number of countries in Europe has been affected

Feb 26, 2015 17:33 GMT  ·  By

The operators behind Ramnit malware stole banking information through a network of compromised computers that extended all over the world.

On Wednesday, Europol announced that 300 command and control servers for a large Ramnit botnet had been shut down, in an operation that engaged the efforts of private companies Microsoft, Symantec and AnubisNetworks.

Up until the takedown, the malware was believed to present little risk, especially since most antivirus products included detection for it.

In a blog post on Monday that talked about a custom Zeus admin panel infected with Ramnit, researchers at RSA said that reports about the malware had become a rarity in the past two years, “falling far below the 1% share of malware variants reported in the wild.”

Dynamic IPs make it difficult to track infected machines accurately

The exact size of the dismantled botnet is somewhat unclear, with Symantec reporting a network of 350,000 computers, while Microsoft indicated more than 500,000 machines being infected in the past six months.

We turned to AnubisNetworks for details on this matter, and although the company could not disclose information from its Cyberfeed live threat intelligence feed service, it did say that both Symantec and Microsoft may be right in their assessment.

The infections are determined by unique IPs, but many Internet Service Providers (ISPs) have a dynamic scheme for providing them, and upon restarting the computer, a new address is assigned. This influences the results because the same machine can have multiple IPs in a period of time.

Also, multiple machines could be behind the same address, assigned to an Internet gateway device.

AnubisNetworks says that Microsoft may have relied in their estimation on the Key Performance Indicators (KPIs) available on the Windows machines

Infections detected in at least 28 countries

The information gathered by AnubisNetwork showed last week a peak at 350,000, but it was even higher in the past.

As far as geographical distribution of the infected computers is concerned, the company saw that most of the compromised systems were located in Indonesia, 90,925 accounting for 26,27%, which is consistent with Symantec's data.

Next came India with 80,144 infections (23,16%), and at a larger distance, Vietnam, with 34,708 (10,03%); Algeria (19,817 - 5,73%) and Thailand (16,747 - 4,84%) completed the top five list.

However, the date provided by AnubisNetworks includes 23 other countries that recorded at least 1,500 infections. Among them is Egypt, Turkey, Philippines, Pakistan, Iran, Azerbaijan, Irak, the UK, Morocco, Saudi Arabia, Nepal, Nigeria, Malaysia, Yemen, Russian Federation, Mexico, China, Brazil, Palestinian Territory, Myanmar, Mongolia and Romania.

It appears that the cybercriminals did not have a strategy that targeted a specific region and instead opted for a wider attack.

AnubisNetworks manages large sinkholes and Honeynet infrastructures, which are distributed all over the world, providing wide visibility.

Ramnit botnet (3 Images)

Indonesia is the most affected country
Botnet starts to shrink after disruptionRamnit infections take a plunge
Open gallery