Security Experts:

Ramnit Botnet Brought Down in Joint Operation by Police, Security Researchers

Researchers at Microsoft, AnubisNetworks and Symantec joined forces with law enforcement to deliver a body blow to the Ramnit botnet.

The software companies assisted Europol's European Cybercrime Centre (EC3) and the UK's National Crime Agency (NCA) in the operation to shut down Ramnit's command and control servers and redirect 300 Internet domain addresses used by the botnet's operators. Ramnit has been active since 2010 and is estimated to have infected more than 3.2 million computers during that time.

Microsoft said it has detected approximately 500,000 instances of computers infected with Ramnit during the past six months. According to Symantec, the botnet is currently about 350,000-computers strong.

"Ramnit (W32.Ramnit) began life as worm, first appearing in 2010 and spreading quickly due to aggressive self-propagation tactics," according to Symantec. "Once it compromised a computer it sought out all EXE, DLL, HTM, and HTML files on the local hard disk and any removable drives and attempted to infect them with copies of itself."

"Over time the malware has evolved as its controllers appeared to shift their focus from building the botnet to exploiting it," Symantec continued. "The most recent version of Ramnit (W32.Ramnit.B) has abandoned the file infection routine in favor of a range of alternative infection methods. Its cybercrime capabilities were beefed up considerably with a number of different modules that are borrowed from the Zeus Trojan (Trojan.Zbot), whose source code was leaked in May 2011. This development transformed the Ramnit botnet into a vast cybercrime empire, spanning up to 350,000 compromised computers at present, harvesting banking credentials, passwords, cookies, and personal files from victims."

Ramnit's victims span the globe, but the largest portion is located in India (27 percent) and Indonesia (18 percent). The United States accounted for six percent of the victims, Symantec noted.

"While early versions of Ramnit relied on file infection routines to spread, the attackers today exhibit a high degree of resourcefulness, using a number of different tactics to compromise victims," according to Symantec. "One of its main recent methods has been exploit kits hosted on compromised websites and social media pages. In addition to this, public FTP servers have also been found to be distributing the malware. Another possible route of compromise has been through potentially unwanted applications, which are inadvertently installed as part of software bundles from less reputable sources."

Europol Deputy Director Operations Wil van Gemert said the operation shows the importance of international cooperation between law enforcement agencies and private industry companies.

"We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety of cybercrimes," he said in a statement. "Together with the EU Member States and partners around the globe, our aim is to protect people around the world against these criminal activities."

view counter