Despite the EC3 and Europol operations, the Ramnit botnet is still active

Despite numerous reports by news agencies that Europol has carried out a massive operation to stop the operation of the Ramnit botnet, Doctor Web analysts continue to monitor its activity. According to information in the media, British police specialists dealing with the fight against cybercrime, together with experts from Germany, Italy and the Netherlands limited the activity of several major servers controlling and managing the Ramnit botnet.

According to press releases, on February 24, 2015, the control and management servers of the Ramnit botnet were excluded due to joint efforts of several organizations. This operation involved the European Anti-Cybercrime Center operating within Europol, CERT-EU, Symantec, Microsoft, AnubisNetworks and other European organizations. For example, on the Europol website it was reported that IT security specialists managed to capture about 300 Internet domain addresses containing control and management servers generated by this malicious program, and Reuters informs that 7 control and management servers were shut down during this operation. According to information provided by Symantec, this operation deactivated the botnet containing 350,000 infected devices, and based on information from Microsoft, their total number could reach 500,000.

Doctor Web security researchers monitor several botnet subnetworks created by hackers using different versions of the Rmnet virus. Thus, the modification called Win32.Rmnet.12 is known since September 2011. Win32.Rmnet.12 is a complex, multi-component virus that infects files, consisting of several modules. Has the ability to self-replicate. It can execute commands issued by criminals, embed content in loaded websites (which in theory allows cybercriminals to gain access to information about victims' bank accounts), and steal "cookies" and passwords saved on popular FTP clients such as Ghisler, WS FTP, CuteFTP, FlashFXP, FileZilla, Bullet Proof FTP and more.

The subsequent virus modification, Win32.Rmnet.16, differs from its predecessor in several architectural functions, such as the use of a digital signature when selecting a control and management server. The virus is also able to execute commands to download and run independent files, self-update, take screen shots and send them to cybercriminals, and make the operating system unable to continue working. In addition, one of the modules is able to disable the main processes of popular antivirus programs. Like its predecessor, Win32.Rmnet.16 can modify the main boot sector (MBR) of the disk and save files at the end of the disk area in an encrypted form.

Despite the fact that numerous press agencies reported on a successful operation aimed at blocking the activity of the Ramnit botnet, Doctor Web experts did not notice any drop in the activity of botnets monitored by their anti-virus laboratory. Until now, Doctor Web security researchers have learned about at least 12 subnets of the Ramnit botnet, using the algorithm of generating control and management server domains and at least two subnets of Win32.Rmnet.12, which do not use automatic domain generation (Symantec specialists blocked one of sub-networks with the 79159c10 originator belonging to the first of these categories).

For example, two subnets of Win32.Rmnet.12 still infect 250 - 270 thousand hosts per day, as illustrated below:

However, the Virus.Rmnet.16 virus subnet, monitored by the Doctor Web security researchers, shows much smaller daily activity, but there are also no "failures" associated with the possible shutdown of the control and management servers:

A similar situation occurs when monitoring computers infected with another malicious module, known as Trojan.Rmnet.19, which is presented in the following chart:

The statistics presented show that the organizers of the operation aimed at destroying the Ramnit botnet apparently suffered a failure to eliminate all the control and management servers of this botnet. At least 500,000 computers infected with various virus modifications remain active and respond to commands from surviving servers. Doctor Web will continue to monitor the situation regarding this threat.

source: Doctor Web



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.