In January 2010, a new worm named Ramnit was spotted in the wild. A worm is a type of malware that secretly and maliciously integrates itself into a program or data files and infects more files each time the host program is run. This worm can infect Windows executable files, HTML files, office files and possibly other file types as well. This blog examines this type of worm from a financial point of view; for in-depth analysis of Ramnit’s parasitic behavior, see this Microsoft blog post.

Going Financial: Teaching an Old Dog New Tricks

Although this type of worm employs old-generation malicious techniques, we kept it on our malware radar. A few weeks ago, we started seeing something interesting. Apparently, Ramnit morphed into a financial malware — or at least was used as a platform to commit financial fraud; we’re still investigating its modular architecture. Once installed, this malware will continuously communicate with the command-and-control (C&C) server, reporting on its status and receiving configuration updates; inbound and outbound communication is over SSL (HTTPS).

Ramnit’s authors followed the standard approach of malicious financial activities, supporting all basic features required for well-bred financial malware. The malware includes a Man-in-the-Browser (MitB) Web injection module, which enables the malware to modify Web pages on the client side, modify transaction content, insert additional transactions, etc., all in a completely covert fashion invisible to both the user and host application.

Here is a sample Ramnit injection. Note the “security tip” created by the fraudsters in the injected message:

While analyzing Ramnit’s malicious activities, we noticed its configuration format is similar to the notorious Zeus and SpyEye financial malware platforms:

[set_url] [data_before][data_end] [data_inject] [data_end] [data_after] [data_end]

Ramnit consists of several independent components (see partial list below). One particular component, Zeus, caught our attention because it’s the HTMP injection engine used by Ramnit. Since the Zeus source code is available for free, and given the similarities between Zeus’ and Ramnit’s “standard financial approach” and configuration format, we suspect the malware’s authors incorporated parts of Zeus into Ramnit. We are still investigating Ramnit’s Zeus component.

Trusteer Versus Ramnit

• Trusteer Rapport: Customers running Trusteer Rapport are not vulnerable to this attack. Rapport blocks Ramnit from entering the browser, thus rendering the malware ineffective in terms of financial fraud. Rapport also prevents machines from becoming infected with the malware.

• Trusteer Pinpoint: In real time, Trusteer Pinpoint detects and reports Ramnit behaviors when customers whose machines are infected with the malware log in to an online banking application. This allows the bank to block the malicious activity generated by Ramnit.

Going Forward

The latest version of Ramnit consists of stand-alone modules; some are bundled with the dropper binary and some are fetched from its C&C. The following is a partial list of Ramnit components:

• Proprietary “windows installer” (download and execute)
• Hooker & MitB Web injects (Zeus bundle)
• FTP Grabber
• FTP Server
• Cookie Grabber
• Anti Debugging/Anti AV

Ramnit’s different components are still under investigation, as well as the malware itself. We will update this blog shortly with more findings, so stay tuned.