In January 2010, a new worm named Ramnit was spotted in the wild. A worm is a type of malware that secretly and maliciously integrates itself into a program or data files and infects more files each time the host program is run. This worm can infect Windows executable files, HTML files, office files and possibly other file types as well. This blog examines this type of worm from a financial point of view; for in-depth analysis of Ramnit’s parasitic behavior, see this Microsoft blog post.

Going Financial: Teaching an Old Dog New Tricks

Although this type of worm employs old-generation malicious techniques, we kept it on our malware radar. A few weeks ago, we started seeing something interesting. Apparently, Ramnit morphed into a financial malware — or at least was used as a platform to commit financial fraud; we’re still investigating its modular architecture. Once installed, this malware will continuously communicate with the command-and-control (C&C) server, reporting on its status and receiving configuration updates; inbound and outbound communication is over SSL (HTTPS).

Ramnit’s authors followed the standard approach of malicious financial activities, supporting all basic features required for well-bred financial malware. The malware includes a Man-in-the-Browser (MitB) Web injection module, which enables the malware to modify Web pages on the client side, modify transaction content, insert additional transactions, etc., all in a completely covert fashion invisible to both the user and host application.

Here is a sample Ramnit injection. Note the “security tip” created by the fraudsters in the injected message:

While analyzing Ramnit’s malicious activities, we noticed its configuration format is similar to the notorious Zeus and SpyEye financial malware platforms:

[set_url] [data_before][data_end] [data_inject] [data_end] [data_after] [data_end]

Ramnit consists of several independent components (see partial list below). One particular component, Zeus, caught our attention because it’s the HTMP injection engine used by Ramnit. Since the Zeus source code is available for free, and given the similarities between Zeus’ and Ramnit’s “standard financial approach” and configuration format, we suspect the malware’s authors incorporated parts of Zeus into Ramnit. We are still investigating Ramnit’s Zeus component.

Trusteer Versus Ramnit

  • Trusteer Rapport: Customers running Trusteer Rapport are not vulnerable to this attack. Rapport blocks Ramnit from entering the browser, thus rendering the malware ineffective in terms of financial fraud. Rapport also prevents machines from becoming infected with the malware.
  • Trusteer Pinpoint: In real time, Trusteer Pinpoint detects and reports Ramnit behaviors when customers whose machines are infected with the malware log in to an online banking application. This allows the bank to block the malicious activity generated by Ramnit.

Going Forward

The latest version of Ramnit consists of stand-alone modules; some are bundled with the dropper binary and some are fetched from its C&C. The following is a partial list of Ramnit components:

  • Proprietary “windows installer” (download and execute)
  • Hooker & MitB Web injects (Zeus bundle)
  • FTP Grabber
  • FTP Server
  • Cookie Grabber
  • Anti Debugging/Anti AV

Ramnit’s different components are still under investigation, as well as the malware itself. We will update this blog shortly with more findings, so stay tuned.

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today