Ramnit Malware: Improvising its weapons

  • 2
    Shares

Ramnit was introduced as a worm into the cyber world during the end of 2010. In these few years, researchers at Quick heal Labs have observed a drastic change in the components of this malware. Malware authors of this family are continuously upgrading to adapt to the changing needs of the market. An interesting trait to be noted here is, while updating the malware, its authors stay consistent with their own core components and behavior.

This paper aims to study and present the malware’s infection vector, behavior, workflow, and various components. The paper also discusses some important security measures to be taken against the malware.

Infection Vector
Earlier version of ramnit used removable drives to spread its infection. With newer techniques, its authors started spreading the malware by embedding in other malware in an encrypted form. Some common techniques used by ramnit to spread its infection include:

  • USB drives
  • Other malware
  • Exploit kits
  • URL spoofing
  • Bundled applications

Download this report for a complete analysis on the components used by Ramnit.

PDF icon

Statistics: VBScript Injection
The below chart represents the statistics of the infected VBScript detection at Quick Heal for the last six months.

 

Stats-ramnit

Security Measures

  • Use genuine operating systems and ensure that they are patched with the latest security updates. This will prevent hackers from exploiting security vulnerabilities.
  • All software must be up-to-date.
  • Virus database must be up-to-date.
  • Be careful while using removable drives.

How Quick Heal helps
Quick Heal Total Security helps counter this threat with the following security features:

  • Memory Scan
  • Drive Scan
  • Safe Banking
  • Network Protection
  • Boot Time Scan
  • Network Drive Scan

Dashboard

Appendix:

Registry Key Deleted

HKLM\SYSTEM\ControlSet001\Control\SafeBoot

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot

HKLM\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell: “cmd.exe”

The purpose of deleting these keys is disabling the starting of computer in safe boot mode.

 Registry Key Added

 HKLM\SYSTEM\ControlSet001\Services\Micorsoft Windows Service

HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE

With help of these, it registers the driver component as a windows service.

Registry values modified

 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Commands and Response:

 While traversing memory of process we get some interesting commands:

Response CodeResponse Received
150Data connection accepted
150Opening data connection
200Port command successful
227Entering Passive Mode
250CWD command successful
250File executed successfully
266ABOR command successful
350File exists. Ready for destination name
350REST supported. Ready to resume at byte offset
425Can’t open data connection
426Cannot retrieve. Failed. Aborting
451Failed: Cannot build data connection
451Requested action aborted: local error
500Syntax error, command unrecognized
501Syntax error in parameters or arguments
503Bad sequence of commands
550No port specified.

FTP Commands:

Response CodeResponse Received
150Data connection accepted
150Opening data connection
200NOOP ok
200Port command successful
200Type set to %c
211Status: undefined
214Help id disabled
215UNIX Type: L8
220220 RMNetwork FTP
221Bye!
226Transfer ok
227Entering Passive Mode
230User logged in, proceed
250CWD command successful
250Directory removed
250File deleted successfully
250File executed successfully
250File renamed successfully
257%s is current directory
257directory created
266ABOR command successful
331Password required for %s

Ramnit DGA Implementation:

Ramnit DG

Domain generated with DGA (Initial Seed: 0x606D35BF)

jrkaxdlkvhgsiyknhw.comiddfmolfvrdoeyxou.commxudiunvxecbgpdhhc.com
eesbmknaxr.commshsflwekk.comioeccgcbxxcxsrqjy.com
jkrehcrgib.comgqrtykjc.comarjxjuvppvrmxbpueg.com
apthdsknufgxporcvvn.comikcnskrruwrkilcxdip.comicowvgucyvl.com
pexddmcvuxqrksvvv.comtgjmrxkqp.comlffkkbfpqxbyxeaxsvr.com
wrjjpqbbyofxtexwri.comwccshmrmeqk.comxvjnpdppk.com
pokparydnggdwik.comtxvxlbrbtrvttwtty.comarchxhobmrdiqal.com

 

ACKNOWLEDGEMENT

 Subject Matter Expert:

  • Swapnil Patil (Threat Research & Response Team, Quick Heal)
Rajiv Singha

Rajiv Singha


2 Comments

Your email address will not be published.

CAPTCHA Image

  1. Avatar amir_r512003@yahoo.comMay 14, 2016 at 3:35 AM

    Help

    Reply