Good solid malware programs never really go away, they just go in for a realignment. Take the Ramnit malware family as a perfect example. After a regeneration process, it now has new anti-detection capabilities, a troubleshooting module, as well as enhanced encryption and malicious payloads.
Tim Liu of the Microsoft Malware Protection Center said Ramnit resurfaced late last year and its developers stripped out all of its infection function and enhanced its botnet functionality.
“Ramnit is a frequently updated threat which gets updated by its developer every day,” Liu wrote in a blogpost.
Ramnit first came out in 2010 and has been proficient in stealing credentials, focusing primarily on online bank accounts, FTP log-ins and even Facebook passwords. Researchers at Seculert in January 2012 said the attackers behind a Ramnit variant in circulation at the time were testing the stolen Facebook credentials against online bank accounts, corporate email and VPN systems, hoping customers were re-using passwords on all platforms.
This time around, Ramnit has grown with its latest iteration boasting four new upgrades, all bolstered by rootkit functionality that hides other components of Ramnit from security software.
In addition, once Ramnit connects to its command and control server, the compromised computers making up the botnet send out via the backdoor connection a long list of antivirus product process names.
“Once Ramnit receives the list, both the Ramnit user-mode and kernel-mode components will attempt to terminate any process with any of these names,” Liu said.
The botmaster also included a troubleshooting module similar to one used by the Necurs botnet. The troubleshooter looks for crashes by any of the malware’s modules, logs them and forwards the logs to the command and control server before uninstalling a buggy module.
“It looks like the troubleshooting module has become a common feature in recently developed botnets. The malware authors are analyzing the error reports and making the botnet component more stable,” Liu said.
Ramnit’s authors are intent on protecting its varied malware components from detection. For example, new payload modules end up encrypted on the command and control server using an RC4 algorithm. Before loading it, Ramnit decrypts the module in memory avoiding a typical DLL loading cycle usually watched for by security tools.
“By doing it in this way, Ramnit avoids detections from AV products since the module file on the disk is encrypted by RC4 and the module after decryption is loaded as a Dll,” Liu said. “We also see this mechanism implemented in Necurs.”
The payload modules, in previous versions, ended up limited to a FTP credential grabber, a cookie information grabber, a VNC installation borrowed from the Zeus Trojan for remote access, as well as a Hook&Spy Module native to Zeus as well. Hook&Spy, which is the data- and credential-stealing component, ended up replaced by a custom-built one.
“By doing this, Ramnit finally has its own bank stealth module which can be updated by itself and does not rely on [Zeus] updates anymore,” Liu said.
A new payload module, Liu said, is the Antivirus Trusted Module v1.0; Ramnit kills all antivirus processes through this module, though only AVG AntiVirus 2013 moved into the module to date, Liu said.