In January 2010, a new worm named Ramnit was spotted in the wild. A worm is a type of malware that secretly and maliciously integrates itself into a program or data files and infects more files each time the host program is run. This worm can infect Windows executable files, HTML files, office files and possibly other file types as well. This blog examines this type of worm from a financial point of view; for in-depth analysis of Ramnit’s parasitic behavior, see this Microsoft blog post.

Going Financial: Teaching an Old Dog New Tricks

Although this type of worm employs old-generation malicious techniques, we kept it on our malware radar. A few weeks ago, we started seeing something interesting. Apparently, Ramnit morphed into a financial malware — or at least was used as a platform to commit financial fraud; we’re still investigating its modular architecture. Once installed, this malware will continuously communicate with the command-and-control (C&C) server, reporting on its status and receiving configuration updates; inbound and outbound communication is over SSL (HTTPS).

Ramnit’s authors followed the standard approach of malicious financial activities, supporting all basic features required for well-bred financial malware. The malware includes a Man-in-the-Browser (MitB) Web injection module, which enables the malware to modify Web pages on the client side, modify transaction content, insert additional transactions, etc., all in a completely covert fashion invisible to both the user and host application.

Here is a sample Ramnit injection. Note the “security tip” created by the fraudsters in the injected message:

While analyzing Ramnit’s malicious activities, we noticed its configuration format is similar to the notorious Zeus and SpyEye financial malware platforms:

[set_url] [data_before][data_end] [data_inject] [data_end] [data_after] [data_end]

Ramnit consists of several independent components (see partial list below). One particular component, Zeus, caught our attention because it’s the HTMP injection engine used by Ramnit. Since the Zeus source code is available for free, and given the similarities between Zeus’ and Ramnit’s “standard financial approach” and configuration format, we suspect the malware’s authors incorporated parts of Zeus into Ramnit. We are still investigating Ramnit’s Zeus component.

Trusteer Versus Ramnit

  • Trusteer Rapport: Customers running Trusteer Rapport are not vulnerable to this attack. Rapport blocks Ramnit from entering the browser, thus rendering the malware ineffective in terms of financial fraud. Rapport also prevents machines from becoming infected with the malware.
  • Trusteer Pinpoint: In real time, Trusteer Pinpoint detects and reports Ramnit behaviors when customers whose machines are infected with the malware log in to an online banking application. This allows the bank to block the malicious activity generated by Ramnit.

Going Forward

The latest version of Ramnit consists of stand-alone modules; some are bundled with the dropper binary and some are fetched from its C&C. The following is a partial list of Ramnit components:

  • Proprietary “windows installer” (download and execute)
  • Hooker & MitB Web injects (Zeus bundle)
  • FTP Grabber
  • FTP Server
  • Cookie Grabber
  • Anti Debugging/Anti AV

Ramnit’s different components are still under investigation, as well as the malware itself. We will update this blog shortly with more findings, so stay tuned.

More from Fraud Protection

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today