Microsoft Malware Protection Center assists in disrupting Ramnit

Recent disruption of the Ramnit malware family was successful due to a multinational collaboration, led by Europol’s European Cybercrime Center (EC3), in partnership with Financial Services and Information Sharing & Analysis Center (FS-ISAC), Symantec, AnubisNetworks, Microsoft’s Digital Crimes Unit (DCU), and the Microsoft Malware Protection Center (MMPC).

The MMPC has been closely monitoring Ramnit since its discovery in April 2010, as you can see by reading: Ramnit - The renewed bot in town and Little Red Ramnit: My, what big eyes you have, Grandma!

The Ramnit threat tampers with antivirus software and disables Windows Update to prevent computers from getting critical security updates through Windows Update and antivirus software. We recommend using Microsoft Safety Scanner to scan and clean the threat. Additional technical details about what Ramnit can do, and how to clean it up, can be found by visiting the Malware Protection Centerand help-page respectively.

During the past six months, Microsoft detected approximately 500,000 instances of computers infected with Ramnit.

 Figure 1: Ramnit infection trend from the past six months

Ramnit is a module-based malware which concentrates on stealing credential information from banking websites.

Ramnit is configured to hide itself, disable security defences, and establish a connection with the Ramnit command and control server (C&C).

Ramnit generates 300 domains through a Domain Generation Algorithm (DGA), which is a function of rand and a hard-coded seed in the threat. Then, it tries to communicate to each through a custom protocol using port 443. Ramnit expects a reply from the C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

C&C server that is signed using a RSA 1024-bit key, and uses RC4 encryption for the communication.

See the Python implementation of DGA below:

  Figure 2: Sample Python code

Ramnit's design is modular to accommodate dynamic modules from the C&C server that can add additional functionality to the threat. This allows different malware modules that are pushed from the C&C server to plug into the malware framework on the user's computer and allows it to operate diskless (off of RAM).

To accomplish this, when an infected computer first contacts a C&C server, it can download one or more malware modules which give it new capabilities. For example, one module is designed to steal sensitive files from the user's computer, while a different module is designed to steal user credentials when the user logs into the website of a targeted financial institution, etc.

We have observed that Ramnit uses the following modules:

Figure 3: What a web page looks like before and after a Ramnit infection

We observed two different control servers:

• • C&C1 – the server that is contacted through DGA that controls what modules are downloaded, to provide command and VNC interface to the bot controller.
  • C&C2 – exists in the configuration file that is designed to handle web-injection responsible for stealing extra credential information.

By having two disassociated C&C, the threat gains the following advantages from its architecture:

1. 1. Dynamic content injected into webpages can change more rapidly and be tailored to the victim according to the country where the victim is located in and the websites visited.
   2. This can also act as a camouflage to hide the C&C2 from researchers, as this server is not referenced in the malware binary, reverse engineering the binary wouldn't reveal it. Identifying this server requires decryption of the configuration file sent by C&C1. The encryption algorithm used is RC4 with a machine specific key that also protects and increases the difficulty in finding it.
   3. The website content might update frequently. Updates for the website require the retrieval of a new configuration file. With this new server, it gives Ramnit bot controller the ability to put a portion of the injection code in a remote server.
   4. It allows credential information to be stored and managed separately. Figure 4 shows how the Ramnit C&C servers are organized.

Figure 4: A high-level flow of how Ramnit C&C servers operate

• Anti-AV Module

There is a significant Anti-AV function that is part of the Ramnit installer. When Ramnit is installed, it disables the following Windows components:

• Windows Firewall
• Windows Update
• Windows Defender
• Windows User Account Control

When the C&C connection was established, the C&C server sent a blacklist of more than 300 types of antivirus applications. See the detailed list in this blog: Ramnit - The renewed bot in town.

This dynamic module sent from the server was first observed in 2013 with the name "Antivirus Trusted Module v1.0.” See the technical details in this blog: Ramnit - The renewed bot in town

In recent months, this blacklist shrunk to Microsoft Anti-AV application core executables.

• FTP Grabber

The FTP Grabber enables Ramnit to steal credentials from FTP applications. One of Ramnit's propagation techniques is to implant those files with either Ramnit itself or other malware so that a user who downloads one of those files will be infected with Ramnit. See Win32/Ramnit for the detailed list of FTP Applications targeted by Ramnit. .

• Cookie Grabber

The Cookie Grabber enables Ramnit to steal browser cookie information or to forge cookies. A cookie is a piece of information sent by the web server during a web session. In the case of a banking session, the cookie might contain user credential identification information. Ramnit steals that cookie information for later use in defrauding the user.

It also shows the list of websites that the user visited so that the C&C server can send a tailored spy configuration module. See Win32/Ramnit for the detailed list of browsers targeted by Ramnit.

• VNC Module

The VNC module enables the Ramnit botnet controller to directly access and control the user's computer through a virtual network computing (VNC) connection. In other words, this allows the herder to access and completely control the user's computer. Machines with a properly configured firewall, or sit behind network address translation (NAT) won't be affected.

• Drive Scan Module

The Drive Scan module enables Ramnit to gather credential information in addition to the information gathered by the Hook-Spy module. By achieving this, this module scans the computer looking for interesting files that contain specific key words, typically associated with banking credentials. Figure 5 shows a list of keywords that this module looks for as it attempts to identify files to steal. If the Ramnit running on a user's computer can locate file names with these keywords in them, it will upload the file to the C&C server.

The Ramnit botnet controller then collects that file and reviews it for information to more effectively target the computer user.

 Figure 5: The list of keywords that Ramnit looks for

In summary, Ramnit has a hot pluggable modular framework design that gives it plenty of flexibility to extend new functionality on demand.

As always, we urge Windows users to be vigilant against malware:

• Exercise caution when opening emails or social media messages from unknown users.
• Be wary about downloading software from websites other than the program developers.
• Run an antivirus software regularly.

If you're using Windows 8 or later versions, Windows Defender is built-in. If you're running an older operating system, you can install Microsoft Security Essentials.

As a reminder to organizations invested in security, MMPC has a Coordinated Malware Eradication Program. If your organization is interested in joining or initiating an eradication campaign or participate in the CME program, please see the CME program page. You can also reach out to us at cme-invite@microsoft.com for more information. 

Tanmay Ganacharya, Karthik Selvaraj, and Tim Liu

MMPC