Europol, Security Firms Team Up to Disrupt Ramnit Botnet

Microsoft, Symantec, AnubisNetworks and Europol work together to take down Ramnit, malware that infected more than an estimated 3.2 million computers over four years.

Ramnit botnet

Three technology companies teamed up with international law enforcement to disrupt the Ramnit botnet, sinkholing more than 300 domains and seizing servers in four European countries, the organizations stated on Feb. 25.

Since at least 2010, Ramnit has spread to systems by infecting files and has evolved into modular bot software focused on stealing passwords and online banking credentials. Europol, the pan-European law enforcement agency, worked with Microsoft, Symantec and AnubisNetworks, as well as officials from Germany, Italy, the Netherlands and the United Kingdom, to disrupt the botnet.

Ramnit has infected an estimated 3.2 million systems in the past four years, with up to 350,000 computers currently compromised, Symantec stated in an analysis of the threat.

"Ramnit has been one of the top threats for the last four or five years," Liam O'Murchu, senior development manager for Symantec's security response group, told eWEEK. "Because it is a file infector, once you got hit with Ramnit, you could have thousands of files on your computer infected with the malware."

The Ramnit malware uses a variety of techniques to hide itself from detection, blacklists more than 300 domains used by antivirus applications and uses a domain-generation algorithm to create a list of more than 300 domains to which it could connect. The program attempts to connect to the command-and-control server at one of those domains, verifies the server using a digital signature and encrypts communications. The command-and-control server will send a configuration file to Ramnit that includes a list of the information that the malware should gather. When the victim attempts to connect to a Website included on the list, Ramnit will send the log-in credentials to the attackers.

While early versions of Ramnit were fairly simple and focused on infecting systems through removable USB drives, the operators soon expanded the software's propagation routines to include the exploitation of vulnerabilities. In 2011, the developers added modular functionality to the program, copying capabilities of the Zeus banking Trojan after the source code for that program was leaked to the Internet.

The majority of Ramnit victims appear to be in Asia, according to Symantec's analysis. Approximately 27 percent of the victims are in India, 18 percent in Indonesia and 12 percent in Vietnam. Only 6 percent of the victims of the cyber-criminal group are in the United States.

Law enforcement officials redirected the 300 domains that Ramnit servers were expected to connect to on Feb. 24. In addition, officials seized several servers that were part of the operators' infrastructure.

"This successful operation shows the importance of international law enforcement working together with private industry in the fight against the global threat of cybercrime," Wil van Gemert, Europol's deputy director operations, said in a statement. "We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety of cybercrimes."

While no arrests were announced in connection with the cyber-criminal operation, analysis of the seized servers could result in enough information to identify the criminals, Symantec's O'Murchu said.

"Because we were able to seize the servers that the attackers were using, we hope there is some information that allows us to identify the attackers," he said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...