Ramnit worm found in Zeus Panther admin console

Feb 25, 2015 15:18 GMT  ·  By

A customized administration panel for Zeus Trojan has been found by security researchers to be infected with a variant of Ramnit worm.

At the beginning of the analysis, it was believed that the worm was intentionally included in the admin panel called Zeus Panther as a means to protect unauthorized access and to infect the computer of the intruder.

However, security researchers from RSA later came to the conclusion that Ramnit malware found its way into Zeus Panther straight from the cybercriminal’s machine, who was not aware of the infection.

Ramnit stepped into the financial malware league

The version of the administration panel analyzed by the researchers derives from Zeus Robot, which is based on code from Zeus v2.8.0.9. Zeus Panther has enjoyed increased popularity among fraudsters in the recent months, RSA says.

Ramnit worm has been around since early 2010 and it has evolved from information stealer targeting FTP credentials and browser cookies to online banking malware when the code for Zeus got leaked.

It included a man-in-the-browser web injection module, which allowed intercepting communication to secure websites and covert, real-time modification of the web pages accessed by the victim.

Fraudsters can become victims themselves

Between September and December 2011, no less than 800,000 computers were found to be infected by Ramnit. Since then, reports of it in the wild have fallen under 1% in the past two years, according to data from RSA. At the moment, the worm is detected by a large number of antivirus solutions.

The variant discovered by RSA dates from mid-2013 and one of its functionalities is to add a malicious VBS code to all HTML files it finds on a compromised system. It spreads via USB, lodging itself in a hidden folder on a storage device plugged into the infected system.

In a blog post published on Monday, RSA security researcher Lior Ben-Porat said that “This particular copy of Zeus Panther was saved onto a fraudster’s personal computer that had been infected by a Ramnit variant, and by uploading the Zeus Panther Admin panel from his infected machine, he unknowingly spread the Ramnit worm on his panel’s installation page.”

Ben-Porat’s conclusion is that despite being familiar with malware, in the end, fraudsters are susceptible to run-of-the-mill threats just like their victims.