Ramnit Malware Resurfaces and Becomes More Advanced to Avoid Detection

The Ramnit malware was once known for going viral and being of assistance to hackers in their attempt to steal login details with social accounts, as well as banking institution accounts. Since that time last year, Ramnit has returned with a vindictive nature where it has enhanced encryption, a malicious payload and the new anti-detection abilities.

Late 2012, Ramnit (W32.Ramnit/Ramnit Worm/Ramnit Botnet) resurfaced on the radar screens of Tim Liu of the Microsoft Malware Protection Center and other security researchers. At that time, Ramnit was observed of lacking its old infection functionality and received what was found to be a major enhancement to its botnet capabilities. Being a botnet, Ramnit can continually receive updates through command and control servers, which it has done in a major way recently.

In 2010, Ramnit was simply known as a botnet focusing on online banking accounts Facebook passwords and FTP log-ins. Today, Ramnit has resurfaced to show a completely new face boasting about four new upgrades all enhanced by its ability to avoid detection through rootkit functionality.

Rootkit-type infections are among the nastiest malware threats known to security researchers due to its ability to obscure a system being compromised. Basically, rootkits commonly deny administrator access limiting the ability to execute or tamper with processes and security files. Combined with botnet capabilities, a rootkit could be boundless in its approach to performing malicious activities on an infected system. All it would need to do is receive the necessary commands or instructions from its command and control server.

The latest iteration of Ramnit seems to be a step head of antivirus products as it was found to send back a long list of antivirus product process names all part of its effort to avoid detection. So far this technique has been successful as it actively terminates all processes matching the names of its antivirus process list.

Also included in Ramnit's vindictive update, is its payload modules. In a nutshell, Ramnit no longer has the need to rely on updates from other botnets like Zeus. It has a custom-built data and credential-stealing component, also known as a Hook&Spy Module native to Zeus. "By doing this, Ramnit finally has its own bank stealth module which can be updated by itself and does not rely on [Zeus] updates anymore," Liu said.

The intentions of the new and improved Ramnit are to keep its varied malware components out of the reach of being detected. Additionally, it has a self-contained a payload that may potentially give it a reach further than any other botnet we have seen to date. With these implications, Ramnit will be an initiator to future destruction on an unprecedented scale if it is put in the wrong hands.