Europol, Security Firms Team Up to Disrupt Ramnit Botnet
Microsoft, Symantec, AnubisNetworks and Europol work together to take down Ramnit, malware that infected more than an estimated 3.2 million computers over four years.Three technology companies teamed up with international law enforcement to disrupt the Ramnit botnet, sinkholing more than 300 domains and seizing servers in four European countries, the organizations stated on Feb. 25. Since at least 2010, Ramnit has spread to systems by infecting files and has evolved into modular bot software focused on stealing passwords and online banking credentials. Europol, the pan-European law enforcement agency, worked with Microsoft, Symantec and AnubisNetworks, as well as officials from Germany, Italy, the Netherlands and the United Kingdom, to disrupt the botnet. Ramnit has infected an estimated 3.2 million systems in the past four years, with up to 350,000 computers currently compromised, Symantec stated in an analysis of the threat. "Ramnit has been one of the top threats for the last four or five years," Liam O'Murchu, senior development manager for Symantec's security response group, told eWEEK. "Because it is a file infector, once you got hit with Ramnit, you could have thousands of files on your computer infected with the malware."
The Ramnit malware uses a variety of techniques to hide itself from detection, blacklists more than 300 domains used by antivirus applications and uses a domain-generation algorithm to create a list of more than 300 domains to which it could connect. The program attempts to connect to the command-and-control server at one of those domains, verifies the server using a digital signature and encrypts communications. The command-and-control server will send a configuration file to Ramnit that includes a list of the information that the malware should gather. When the victim attempts to connect to a Website included on the list, Ramnit will send the log-in credentials to the attackers.