Recent disruption of the Ramnit malware family was successful due to a multinational collaboration, led by Europol’s European Cybercrime Center (EC3), in partnership with Financial Services and Information Sharing & Analysis Center (FS-ISAC), Symantec, AnubisNetworks, Microsoft’s Digital Crimes Unit (DCU), and the Microsoft Malware Protection Center (MMPC).
The MMPC has been closely monitoring Ramnit since its discovery in April 2010, as you can see by reading: Ramnit - The renewed bot in town and Little Red Ramnit: My, what big eyes you have, Grandma!
The Ramnit threat tampers with antivirus software and disables Windows Update to prevent computers from getting critical security updates through Windows Update and antivirus software. We recommend using Microsoft Safety Scanner to scan and clean the threat. Additional technical details about what Ramnit can do, and how to clean it up, can be found by visiting the Malware Protection Center and respectively.
During the past six months, Microsoft detected approximately 500,000 instances of computers infected with Ramnit.
Figure 1: Ramnit infection trend from the past six months
Ramnit is a module-based malware which concentrates on stealing credential information from banking websites.
Ramnit is configured to hide itself, disable security defences, and establish a connection with the Ramnit command and control server (C&C).
Ramnit generates 300 domains through a Domain Generation Algorithm (DGA), which is a function of rand and a hard-coded seed in the threat. Then, it tries to communicate to each through a custom protocol using port 443. Ramnit expects a reply from the C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.
C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.
See the Python implementation of DGA below:
Figure 2: Sample Python code
Ramnit's design is modular to accommodate dynamic modules from the C&C server that can add additional functionality to the threat. This allows different malware modules that are pushed from the C&C server to plug into the malware framework on the user's computer and allows it to operate diskless (off of RAM).
To accomplish this, when an infected computer first contacts a C&C server, it can download one or more malware modules which give it new capabilities. For example, one module is designed to steal sensitive files from the user's computer, while a different module is designed to steal user credentials when the user logs into the website of a targeted financial institution, etc.
We have observed that Ramnit uses the following modules:
This core module does a sophisticated form of fraud referred to as a "web-injection" attack to capture the user's banking credentials. To achieve this goal, this module first downloads a configuration file which contains a list of websites to monitor. A majority of the websites we saw were banks. With this list, Ramnit continues to monitor websites on the list. When Ramnit sees the user attempting to connect to one of the websites on the list, it silently captures the credential information and uploads it to the C&C server. Configuration can also specify additional information to be collected from the user. User interface elements needed to collect this information are dynamically inserted into the web page that the user is visiting. For the user, it appears as though the target website itself is requesting new information. For example, Figure 3 shows the effect of a Ramnit web-injection. The image on the left shows how the webpage would be presented to a user on an uninfected computer. The image on the right shows how the webpage would be presented to a user on a Ramnit-infected computer.
Figure 3: What a web page looks like before and after a Ramnit infection
We observed two different control servers:
- C&C1 – the server that is contacted through DGA that controls what modules are downloaded, to provide command and VNC interface to the bot controller.
- C&C2 – exists in the configuration file that is designed to handle web-injection responsible for stealing extra credential information.
By having two disassociated C&C, the threat gains the following advantages from its architecture:
- Dynamic content injected into webpages can change more rapidly and be tailored to the victim according to the country where the victim is located in and the websites visited.
- This can also act as a camouflage to hide the C&C2 from researchers, as this server is not referenced in the malware binary, reverse engineering the binary wouldn't reveal it. Identifying this server requires decryption of the configuration file sent by C&C1. The encryption algorithm used is RC4 with a machine specific key that also protects and increases the difficulty in finding it.
- The website content might update frequently. Updates for the website require the retrieval of a new configuration file. With this new server, it gives Ramnit bot controller the ability to put a portion of the injection code in a remote server.
- It allows credential information to be stored and managed separately. Figure 4 shows how the Ramnit C&C servers are organized.
Figure 4: A high-level flow of how Ramnit C&C servers operate
There is a significant Anti-AV function that is part of the Ramnit installer. When Ramnit is installed, it disables the following Windows components:
- Windows Firewall
- Windows Update
- Windows Defender
- Windows User Account Control
When the C&C connection was established, the C&C server sent a blacklist of more than 300 types of antivirus applications. See the detailed list in this blog: Ramnit - The renewed bot in town.
This dynamic module sent from the server was first observed in 2013 with the name "Antivirus Trusted Module v1.0.” See the technical details in this blog: Ramnit - The renewed bot in town
In recent months, this blacklist shrunk to Microsoft Anti-AV application core executables.
The FTP Grabber enables Ramnit to steal credentials from FTP applications. One of Ramnit's propagation techniques is to implant those files with either Ramnit itself or other malware so that a user who downloads one of those files will be infected with Ramnit. See Win32/Ramnit for the detailed list of FTP Applications targeted by Ramnit.
The Cookie Grabber enables Ramnit to steal browser cookie information or to forge cookies. A cookie is a piece of information sent by the web server during a web session. In the case of a banking session, the cookie might contain user credential identification information. Ramnit steals that cookie information for later use in defrauding the user.
It also shows the list of websites that the user visited so that the C&C server can send a tailored spy configuration module. See Win32/Ramnit for the detailed list of browsers targeted by Ramnit.
The VNC module enables the Ramnit botnet controller to directly access and control the user's computer through a virtual network computing (VNC) connection. In other words, this allows the herder to access and completely control the user's computer. Machines with a properly configured firewall, or sit behind network address translation (NAT) won't be affected.
Drive Scan Module
The Drive Scan module enables Ramnit to gather credential information in addition to the information gathered by the Hook-Spy module. By achieving this, this module scans the computer looking for interesting files that contain specific key words, typically associated with banking credentials. Figure 5 shows a list of keywords that this module looks for as it attempts to identify files to steal. If the Ramnit running on a user's computer can locate file names with these keywords in them, it will upload the file to the C&C server.
The Ramnit botnet controller then collects that file and reviews it for information to more effectively target the computer user.
Figure 5: The list of keywords that Ramnit looks for
In summary, Ramnit has a hot pluggable modular framework design that gives it plenty of flexibility to extend new functionality on demand.
As always, we urge Windows users to be vigilant against malware:
Exercise caution when opening emails or social media messages from unknown users.
Be wary about downloading software from websites other than the program developers.
Run an antivirus software regularly.
If you're using Windows 8 or later versions, Windows Defender is built-in. If you're running an older operating system, you can install Microsoft Security Essentials.
As a reminder to organizations invested in security, MMPC has a Coordinated Malware Eradication Program. If your organization is interested in joining or initiating an eradication campaign or participate in the CME program, please see the CME program page. You can also reach out to us at firstname.lastname@example.org for more information.
Tanmay Ganacharya, Karthik Selvaraj, and Tim Liu