The latest variant of Ramnit, the Windows malware responsible for the recent theft of at least 45,000 Facebook logins, is the latest example of how malware writers and cyber-criminals take “off-the-shelf” hacks and bolt them together to teach old viruses new tricks. Facebook passwords aren’t the only thing that the Ramnit virus can grab—thanks to the integration of some of the code from the Zeus botnet trojan, Ramnit can now be customized with modules for all manners of remote-controlled mayhem.
“Ramnit is an interesting beast,” said Amit Klein, CTO of web security services firm Trusteer in an interview with Ars. “Until last summer, it was just a generic worm spreading around by infecting files. Then they retrofitted it with financial fraud capabilities.”
The evolved version of Ramnit is a potent threat to enterprises, he said, because it can capture any data in a web session—and as more companies move to web-based software as a service for enterprise applications, that could include almost anything.
First sighted by researchers in 2010 in its initial form, Ramnit spreads by attaching itself to Windows executable files (.EXE. .SCR and .DLL files) as well as to HTML documents. In some variants spotted earlier this year by Microsoft researchers, it also attached itself to Microsoft Office documents. Versions have also been spotted that install themselves onto USB drives when they’re connected, and create an Autorun script that launches the virus’ installer when the drive is plugged into another PC.
Ramnit infections exploded in the summer of 2011. According to a report from Symantec, Ramnit accounted for over 17 percent of the malware blocked by the company’s antivirus software in July. Researchers at the security firm Seculert found through the installation of a “sinkhole” that between September and December of 2011, over 800,000 individual Windows PCs were infected with the virus and reporting back to a command and control network.
However it arrives on a victim’s PC, the virus runs an installer that unpacks Ramnit’s payload on the system, changing Windows’ registry file to automatically launch the malware at startup. Ramnit uses a hidden browser instance to create a communications link, establishing a connection to a hacker’s command and control network. It can then load modules that inject JavaScript and HTML into web browser sessions on the infected machine—a capability borrowed from the Zeus botnet, Klein told us.
“We’ve found traces of the Zeus code” in Ramnit, he said, and those were specifically related to Zeus’ ability to sniff for connections to banking systems and load “webinject” modules to steal account data. That capability also allows hackers to defeat security measures such as two-factor authentication and certificate-signed transactions, giving them the ability to hijack online banking sessions and ride on the backs of users through corporate security to web mail and other systems.
The Facebook attack is most likely part of an effort by hackers to simply distribute Ramnit more widely, using the accounts to spread links that infect additional computers with the virus or other malware. So it seems unlikely that we’ve heard the last of Ramnit.
View full post on National Cyber Security » Virus/Malware/Worms