Europol Takes Down Botnet(RAMNIT) of 350,000 Million Computers

Ramnit infected 3.2 million computers across the world
A botnet created with Ramnit malware that infected 3.2 million across the world has been disrupted in a joint effort led by Europol’s European Cybercrime Centre (EC3) and assisted by several private security companies.
During the operation, 300 command and control (C&C) servers used by the cybercriminals behind the malware were sinkholed with the help of Microsoft, Symantec and AnubisNetworks.Ramnit has been around since April 2010, when it emerged as a worm that spread aggressively, infecting EXE, DLL, HTM, and HTML files available on the local hard disk as well as on any removable storage drives connected to the compromised computer.
Over the years, it evolved and added new modules from the code of Zeus banking Trojan, leaked in May 2011. Between September and the end of December 2011, Seculert found about 800,000 computers infected with Ramnit.
“This development transformed the Ramnit botnet into a vast cybercrime empire, spanning up to 350,000 compromised computers at present,” says Symantec on Wednesday.
The latest variant includes six modules that allow the cybercriminals to collect online banking log-in credentials, passwords, cookies and files from the infected system.
It can monitor web browsing sessions and identify web pages of financial institutions of interest. Ramnit integrates web injection capabilities to alter the bank’s website and make it appear to the victim that additional information is required to log into the account; all the data is then uploaded to the C&C controlled by the attackers.
Another way to gain access to the compromised system is a VNC module, according to Symantec, which provides remote access.
The researchers say that the persistence method Ramnit relied on consisted in placing a copy of the malware both on the hard disk as well as in memory. If the variant on the disk got removed, the one in the memory would drop a new copy.
However, given that the botnet takedown is an Europol operation, most of the infected computers are likely located in Europe, where the security company has lower visibility.
RAMNIT SHUT-DOWN IN AN OPERATION
In a statement on Tuesday, Europol revealed that the successful take-down of Ramnit botnet involved the help of Microsoft, Symantec and AnubisNetworks. The groups shut down the botnet's command and control infrastructure and redirected traffic from a total of 300 domain addresses used by Ramnit criminal operators.
"This successful operation shows the importance of international law enforcement working together with private industry in the fight against the global threat of cybercrime," said Wil van Gemart, Europol's deputy director of operations. "We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety of cybercrimes."
NASTY FEATURES OF RAMNIT BOTNET
Symantec says that Ramnit has been around for over four years, first originating as a computer worm. According to the anti-virus firm, Ramnit is a "fully-featured cybercrime tool, featuring six standard modules that provide attackers with multiple ways to compromise a victim." The features are:
- SPY MODULE - This is one of the most powerful Ramnit features, as it monitors the victim’s web browsing and detects when they visit online banking sites. It can also inject itself into the victim’s browser and manipulate the bank’s website in such a way that it appears legitimate and easily grab victim’s credit card details.
- COOKIE GRABBER - This steals session cookies from web browsers and send them back to the Ramnit operators, who can then use the cookies to authenticate themselves on websites and impersonate the victim. This could allow an attacker to hijack online banking sessions.
- DRIVE SCANNER - This scans the computer’s hard drive and steals files from it. The scanner is configured in such a way that it searches for specific folders which contain sensitive information such as victims’ passwords.
- ANONYMOUS FTP SERVER - By connecting to this server, the malware lets attackers remotely access the infected computers and browse the file system. The server can be used to upload, download, or delete files and execute commands.
- VIRTUAL NETWORK COMPUTING (VNC) MODULE - This feature provides the attackers with another means to gain remote access to the compromised computers.
- FTP GRABBER - This feature allows the attackers to gather login credentials for a large number of FTP clients.
WHY BOTNET RE-EMERGE AFTER TAKEDOWNS ?
According to the authorities, Ramnit botnet has been taken down, but is it guaranteed that the botnet will not re-emerged again? We have seen the took down of GameOver Zeus botnet by FBI and Europol as well, but what happened at last? Just after a month, GameOver Zeus botnet again came into operation with more nasty features.
So, What went wrong? Why Botnet take downs are ineffective? One reason could be that the organisations grab and take-down only a small fraction of command-and-control domains that build up the Botnet critical infrastructure, but leaves a majority of fraction active. This takes some months for a botnet operator to recover.
As more and more botnet networks are taken down by Law Enforcement, cyber criminals are increasingly using secondary communication methods, such as peer-to-peer or domain generation algorithms (DGA).
One of the main reasons that the Botnet re-emerged is because the author of the malware didn’t get arrested. No matter how many domains are taken down or how many sinkholes researchers create, if the attackers are not arrested, nobody can stop them from building new Botnet from zero.
On this we really appreciate the FBI step to reward $3 Million for the information leading to the direct arrest or conviction of Evgeniy Mikhailovich Bogachev, the alleged author of GameOver Zeus botnet that was used by cybercriminals to steal more than $100 Million from online bank accounts.
Ramnit has affected victims across the world and infections have been found in most countries. The worst affected countries in recent times have been India, Indonesia, Vietnam, Bangladesh, the US, and the Philippines.

Europol Takes Down Botnet(RAMNIT) of 350,000 Million Computers
Reviewed by Unknown
on
2/25/2015
Rating:

No comments:
Post Your Comment Here Please