Anti-Malware , Breach Response , Cybersecurity

Police Disrupt Banking Malware Botnet

But Worldwide Impact of Ramnit Takedown May Prove Temporary
Police Disrupt Banking Malware Botnet

Police in Europe say they've disrupted a botnet that has been serving up worldwide infections of the banking malware known as Ramnit. Authorities say that the malware, which is based in part on the notorious Zeus banking Trojan, has been used to infect more than 3.2 million computers globally in the past five years, and currently infects an estimated 350,000 PCs. But security experts warn that the disruption will likely be temporary.

See Also: Protect Your Microsoft Identity Infrastructure

This new takedown operation was launched by Europol - the association of European police agencies - after Microsoft warned officials in Europe that it had seen a spike in Ramnit infections. Having "sinkholed" the botnet's command-and-control servers - by redirecting traffic from infected PCs to "friendly" servers - authorities say they're now investigating the C&C servers, thus raising the possibility that they might be able to identify and locate the botnet's masterminds.

The U.K. National Crime Agency says it's identified approximately 33,000 Ramnit-infected PCs in the U.K. It warns that the latest iteration of the malware remains designed primarily to steal money from bank accounts, although also gives criminals access to a number of other features.

"This malware effectively gives criminals a back door so they can take control of your computer, access your images, passwords or personal data and even use it to circulate further spam messages or launch illegal attacks on other websites," says Steve Pye, senior manager of operations at the NCA's National Cyber Crime Unit. "It is important that individuals take action now to disinfect their machines and protect their personal information."

The Ramnit malware in recent years has targeted everything from the two-factor authentication used to secure online banking transactions, to Facebook log-in credentials. And despite the spike in European infections, Symantec, which assisted with the Ramnit botnet takedown operation, reports that the greatest number of such infections are currently in India, followed by Indonesia, Vietnam, Bangladesh, the United States and the Philippines.

Europol Coordinates Disruption

This takedown operation, which targeted multiple Ramnit C&C servers, was conducted by police in the U.K., Netherlands, Italy and Germany, and coordinated by the Netherlands-based Joint Cybercrime Action Taskforce, or J-CAT, which is based at the headquarters of Europol's European Cybercrime Center in the Hague. Launched last year, the taskforce - which includes cybercrime agents from the 28 EU member states, as well as from Australia, Canada, Columbia and the United States - coordinates cross-border cybercrime investigations.

"Strong international cooperation is crucial to success in tackling the major cybercrime threats facing the U.K. and its partners," says Andy Archibald, who chairs J-CAT, and also serves as deputy director of the NCA's National Cyber Crime Unit. "This operation is a further demonstration of the value J-CAT is adding to our efforts to disrupt criminal infrastructures."

Europol says that beyond Symantec, both AnubisNetworks, a unit of BitSight Technologies, and Microsoft assisted with the botnet investigation and takedown. "The criminals have lost control of the infrastructure they were using," Paul Gillen, head of operations at Europol's cybercrime center, tells Reuters.

Last week, Microsoft - working with the Financial Services Information Sharing and Analysis Center - filed a U.S. court order in a sealed lawsuit in the United States to seize Ramnit-related servers, it told Reuters, noting that the servers were seized simultaneously by authorities in four different countries.

But authorities warn that the Ramnit takedown may be temporary, and they're urging consumers to scan their PCs for the presence of the malware - and eradicate it when found. The NCA is also distributing a free Ramnit cleaning tool via its Get Safe Online website.

"Botnets have a nasty habit of playing 'whack a mole,'" Europol cybersecurity advisor Alan Woodward, who's a visiting professor at the department of computing at England's University of Surrey, tells Information Security Media Group. But he notes that it's still important to disrupt them. "You have to try - and it does cause a dent in their operations - but this one is particularly nasty, as it uses other botnets to spread itself as well. I suspect we'll see it pop up in another guise."

Woodward adds that this botnet was a good candidate for disruption. "I think this was worthy of action because it involved so many machines ... and it was a coordinated action between many countries, which is the way of the future when it comes to fighting this sort of cybercrime."

Cybercrime Tool Evolves

When Ramnit first appeared in 2010, Symantec's Laura O'Brien says in a blog post, it was notable for its rapaciousness: The malicious worm, after compromising a PC, would then scan for every "EXE, DLL, HTM, and HTML file on the local hard disk - and any removable drives and [attempt] to infect them with copies of itself."

Since then, however, Ramnit has continued to evolve into what's now "a fully featured cybercrime tool," O'Brien says, noting that it now has modules to do everything from spying on users' website browsing and injecting fake pages, to grabbing cookies and scanning hard drives for stored passwords. The malware can also connect to an anonymous FTP server to allow attackers to browse infected PCs, or give attackers direct, remote access via a virtual networking computing module.

Ramnit gives its operators the ability to target and steal numerous types of sensitive data. "Once a PC is infected, the malware will use it to collect account information for a series of online services - financial, banking, social, professional - by creating fake copies of legitimate websites," Microsoft warns. "Once your account information is collected, malware owners will have access to those sites and the services within them. This malware affects all versions of Windows."

Botnets Battle Disruptions

Whoever is behind Ramnit has proven adept at keeping the malware updated with the latest cybercrime capabilities. "Over time, the malware has evolved as its controllers appeared to shift their focus from building the botnet, to exploiting it," Symantec's O'Brien says, noting that the latest version of the malware - Ramnit.B - employs a number of cutting-edge file-infection techniques. "Its cybercrime capabilities were beefed up considerably with a number of different modules that are borrowed from the Zeus Trojan - Trojan.Zbot, whose source code was leaked in May 2011. This development transformed the Ramnit botnet into a vast cybercrime empire, spanning up to 350,000 compromised computers at present, harvesting banking credentials, passwords, cookies, and personal files from victims."

Woodward of the University of Surrey says that Ramnit, as with many other types of modern malware, has continued to be updated with new techniques designed to defend against any attempt to disrupt it. "Botnets are becoming cleverer as well in that they are rotating their command-and-control servers regularly," he says. "Sinkholing them gives you a snapshot, and if you watch for long enough it does allow you to find patterns and deal a significant blow. But they are like weeds - they are being designed to be more resilient to this sort of action."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network