RAMNIT Botnet that Infected 3.2 Million Computers

Alike GameOver Zeus, RAMNIT is also a 'botnet' - a network of zombie computers which operate under criminal control for malicious purposes like spreading viruses, sending out spam containing malicious links, and carrying out distributed denial of service attacks (DDoS) in order to bring down target websites.

RAMNIT believes to spread malware via trustworthy links sent through phishing emails or social networking sites, and mainly target people running Windows operating systems in order to steal money from victims bank accounts. Moreover, public FTP servers have also been found distributing the malware.

 

Once installed, the infected computer comes under the control of the botnet operators. The module inadvertently downloads a virus onto the victim’s computer which could be used by operators to access personal or banking information, steal passwords and disable anti-virus protection. 

NASTY FEATURES OF RAMNIT BOTNET

Symantec says that Ramnit has been around for over four years, first originating as a computer worm. According to the anti-virus firm, Ramnit is a "fully-featured cybercrime tool, featuring six standard modules that provide attackers with multiple ways to compromise a victim." The features are:

• SPY MODULE - This is one of the most powerful Ramnit features, as it monitors the victim’s web browsing and detects when they visit online banking sites. It can also inject itself into the victim’s browser and manipulate the bank’s website in such a way that it appears legitimate and easily grab victim’s credit card details.
• COOKIE GRABBER - This steals session cookies from web browsers and send them back to the Ramnit operators, who can then use the cookies to authenticate themselves on websites and impersonate the victim. This could allow an attacker to hijack online banking sessions.
• DRIVE SCANNER - This scans the computer’s hard drive and steals files from it. The scanner is configured in such a way that it searches for specific folders which contain sensitive information such as victims’ passwords.
• ANONYMOUS FTP SERVER - By connecting to this server, the malware lets attackers remotely access the infected computers and browse the file system. The server can be used to upload, download, or delete files and execute commands.
• VIRTUAL NETWORK COMPUTING (VNC) MODULE - This feature provides the attackers with another means to gain remote access to the compromised computers.
• FTP GRABBER - This feature allows the attackers to gather login credentials for a large number of FTP clients.

WHY BOTNET RE-EMERGE AFTER TAKEDOWNS ?

According to the authorities, Ramnit botnet has been taken down, but is it guaranteed that the botnet will not re-emerged again? We have seen the took down of GameOver Zeus botnet by FBI and Europol as well, but what happened at last? Just after a month, GameOver Zeus botnet again came into operation with more nasty features.