Ramnit is one of the most prevalent threat families still active in the wild today. Two years ago, we talked about the infection method it uses in the Microsoft Malware Protection Center (MMPC) blog Little red Ramnit: My what big eyes you have, Grandma! by Scott Molenkamp. We are still keeping an eye on this threat and we have found a major change in Ramnit in the latter half of 2012. What we have found is that the newer version of Ramnit has stripped off all of its infection function routine but has enhanced its botnet function heavily. The infection function, it turns out, has not come back in the newer version. We have also updated our encyclopedia with details of the recent change, which you can read at the family description of Win32/Ramnit and at the description for the rootkit component, Trojan:WinNT/Ramnit.gen!A.

In this blog, we want to concentrate on some of Ramnit’s more notable techniques for accomplishing the above aims.

1. An extremely long AV product blocking list is received from the command and control (C&C) server for protecting the Ramnit component against detection. Figure 1 shows part of the AV product process names.

Win32/Ramnit blocked product names

Figure 1: Ramnit AV product blocking list

 

The blocking list is sent to the Ramnit victim’s computer. Once Ramnit receives the list, both the Ramnit user-mode and kernel-mode components will attempt to terminate any process with any of these names.

2. Ramnit implements troubleshooting modules, which we have seen used in the past by the prevalent Necurs family; now we see Ramnit also utilizing a similar implementation mechanism. Figure 2 shows the details of a troubleshooting module. 

Win32/Ramnit troubleshooting module

Figure 2: Ramnit troubleshooting module

 

In Figure 2, we can see a top exception handler is set. When a module crashes because of a bug, this code will receive control. Then the detail exception information is written to a log file which will be sent to the C&C server later. After that, the buggy module is unloaded. It looks like the troubleshooting module has became a common feature in recently developed botnets. The malware authors are analyzing the error reports and making the botnet component more stable.

3. The received module from the C&C server is encrypted on the disk and loaded on-the-fly to avoid detection. Figure 3 shows the details of the on-the-fly loading of the module.

Win32/Ramnit on-the-fly loading

Figure 3: Ramnit module loading on-the-fly

 

In Figure 3, we can see Ramnit creates a separate working thread in charge of the loading module task. The module received from the C&C server is encrypted by an RC4 algorithm. In order to load the module, Ramnit decrypts the plugin payload in memory and calls “StartRoutine” of the module directly in-memory, avoiding a typical DLL operating system loader cycle to stay encrypted on-disk, all the time. By doing it in this way, Ramnit avoids detections from AV products since the module file on the disk is encrypted by RC4 and the module after decryption is loaded as a Dll. We also see this mechanism implemented in Necurs.

4. The received module from the C&C server has been updated recently and we want to mention it in this blog. There used to be four frequently used modules by Ramnit:

  • FTP grabber: Steals FTP credentials
  • Cookie grabber: Steals browser cookie information
  • VNC (virtual network computing): Enables remote access on the victim’s machine for the attacker to do anything (module borrowed from Zbot)
  • Hook&Spy Module: Steals information, including banking credentials

There is a new module that has come up recently with the name “Antivirus Trusted Module v1.0.” It looks like Ramnit has started to move all of its anti-AV product functionality into this module for easy maintenance and to make that functionality stronger. For now, only the antivirus product “AVG AntiVirus 2013” is included. Besides killing the process, a "SC_CLOSE" message is also posted to the "AVG Anti-Virus" window in order to terminate it.
Another thing we want to bring out is the Hook&Spy module. This module used to be borrowed from Zbot, but in the recent update Ramnit has replaced the Zbot hook module with its own developed hook module. By doing this, Ramnit finally has its own bank stealth module which can be updated by itself and does not rely on Zbot updates anymore.

Finally, Ramnit is a frequently updated threat which gets updated by its developer every day. We recommend you keep your security products, such as Microsoft Security Essentials, always updated to the latest definitions to avoid infection.

 

 

Tim Liu
MMPC