Law enforcement authorities rained down the Ramnit botnet
Law enforcement agencies, together with security companies, carried out an operation to capture and disable the infrastructure of a large botnet of Ramnit malware, which includes more than three million bots (infected computers). The organization participated in the operation Europol, as well as CERT of various countries of the world, including Germany, Italy, Holland, and the United Kingdom.
Ramnit itself (ESET: Win32 / Ramnit.X , Microsoft: Win32 / Ramnit , Trojan: WinNT / Ramnit , Symantec: W32.Ramnit , Hacktool.Rootkit ) has a modular architecture and was used by attackers for various purposes, including to steal data online banking users. Further, these stolen data were used to steal users ’money (criminal scheme). Ramnit has self-propagation mechanisms (file virus), performs many modifications on the system, and also contains a rootkit.
')
Ramnit includes the following modules:
A list of various system modifications that one of the modifications of Ramnit can implement in the system here . To ensure its survival in the system, it completely disrupts the work of the protected mode of Windows by removing the registry keys that are responsible for its implementation.
Ramnit itself (ESET: Win32 / Ramnit.X , Microsoft: Win32 / Ramnit , Trojan: WinNT / Ramnit , Symantec: W32.Ramnit , Hacktool.Rootkit ) has a modular architecture and was used by attackers for various purposes, including to steal data online banking users. Further, these stolen data were used to steal users ’money (criminal scheme). Ramnit has self-propagation mechanisms (file virus), performs many modifications on the system, and also contains a rootkit.
')
On the 24th of February, the European Cybercrime Center (EC3) has been coordinated and had been contacted. The operation involved.
Ramnit includes the following modules:
- Browser data theft module (grabber): injects its malicious code (injector) into the process of a working browser and by means of manipulations with forms displayed to the user, it steals online banking data.
- Cookie grabber: steals cookies from the current browser session and sends them to a remote attacker’s server; in the future, cookies can be used by intruders in order to introduce themselves to the system as a real user.
- Rootkit: used to remove intercepts in the kernel (SSDT), which can use security products to protect the system.
- Anti-AV module: disrupts all sorts of AV / security products, including standard Windows Firewall, Defender, UAC.
- File Acquisition Module: scans the disk file system for the presence of special files there that may be valuable (store online banking data). These files will be sent to the remote server.
- VNC-module : provides attackers with remote access to the system.
A list of various system modifications that one of the modifications of Ramnit can implement in the system here . To ensure its survival in the system, it completely disrupts the work of the protected mode of Windows by removing the registry keys that are responsible for its implementation.
Source: https://habr.com/ru/post/251577/
All Articles