No matter how small a virus is… its better never to underestimate its capability! A worm that may be considered as a low-risk concern can be a serious threat later with just some changes in it, just like the Ramnit worm, which has now turned into a serious threat for the banking sector.
Ramnit was emerged, last year i.e. in January 2010 with the capability to infect Windows executable files, HTML files, office files and many other file types too. It was said to have the old generation malicious techniques pattern that was useful to infect the Microsoft Windows executable files. Once infected, Ramnit was used to steal the saved FTP credentials and browser cookies. After being kept under observation for few weeks, Ramnit seemed to be modified itself into the financial malware. It is said to be now useful as a platform to commit financial fraud.
Ramnit worm consists of all the standard features of malicious financial activities and supports all the basic features required for well-bred financial malware. Once the Ramnit worm enters your system/ network, it will continuously communicate with the Command and Control (C&C) server. It will report on its status and keep receiving the configuration updates; inbound and outbound communication is over SSL (https). Ramit worm includes a Man-in-the-Browser (MitB) web injection module, modify transaction content, insert additional transactions, etc. The modified Ramnit malware has the ability to drain bank accounts as all its features are completely inexplicit and are invisible to neither the user nor the host application. With this it facilitates the cyber criminals to bypass two-factor authentication, modify Web pages and covertly insert banking transactions.
Malware analysts confirm that Ramnit consists of several independent components and its configuration format is similar to the notorious Zeus’ and SpyEye financial malware platforms:
[set_url] [data_before][data_end] [data_inject] [data_end] [data_after] [data_end]
The HTML injection engine is used by Ramnit is a part of Zeus source code and is available for free download with no strings attached. Given the similarities between Zeus’ and Ramnit’s standard financial approach and configuration format, it is suspected that the malware authors have merged few parts of Zeus into Ramnit. The investigation is still in process.
As per the analysis, the latest version of Ramnit consists of standalone modules out of which some are bundled with the dropper binary and some are fetched from its C&C. Ramnit consists of components such as Proprietary “windows installer” (Download and Execute), Hooker & MITB web injects (Zeus bundle), FTP Grabber, FTP server, Cookie Graber, Anti Debugging/Anti AV, etc.
Experts say that the cyber criminals behind the Ramnit worm have transformed it into financial-focused malware capable of draining bank accounts, using what may be bits and pieces of the publicly available Zeus malcode to make it more effective. Also, on the basis of some close observations, researchers feel that the versions of Ramnit had some variants that did contain a backdoor to await instructions from a remote attacker.
Microsoft Malicious Software Removal Tool added Ramnit making it in the Microsoft’s Top 25 Infections list with more than 52,000 infections. It is known as one of the four parasitic viruses out of the top 10 detected threat families. It causes machine crash while using the executable files that remain undetectable by the user.
It is said that Ramnit writers have been working on it to build a worm module to help spread it using USB and network drives and the incorporation of the Zeus code in it is one of the latest iterations of the Ramnit writers.
So the bottom line is- Ramnit should not be so much hyped as there is nothing unique about it. It is just an upgraded version of an existing Malware with some module of an already capable worm! Zesus was unique so was Spyeye… however not Ramnit!