Europol takes down Ramnit botnet that infected millions of computers

25220794_sEuropol, assisted by Microsoft, Symantec, and Anubis Networks have successfully taken down a massive bot network that infected over 3.2 million computers. This huge network was created by infecting computers with the Ramnit malware. Police from Germany, Italy, the Netherlands, and the UK were involved as they shut down several servers being used for this purpose.

The Zombie Network

A botnet is a collection of bots: internet-connected programs communicating with other similar programs in order to perform tasks. The nature of the task, as in this case, is often malicious. It could be used for a massive spamming program or for performing a DDoS attack. Another good example are the Skype bots that are still going around.  The program used here was Ramnit, which allowed the cyber criminals to disable antivirus protection and steal personal and financial data from their victims.

Ramnit- The past, present and future

In earlier versions, Ramnit was capable of infecting any EXE, DLL, HTM or HTML file on fixed or removable drives. Now, its methods have diversified. By borrowing a few modules from the “Zeus trojan” it has turned into a full blown cyber crime tool. Modules like “Spy module,” “Cookie grabber,” and “Anonymous FTP server” make this malware capable of logging browsing sessions, stealing cookies, personal data and even aggressively spreading itself. Over the years, Ramnit has changed from a parasitic, quickly spreading virus to a more dormant zombie virus in order to avoid easy detection.

Whenever Ramnit infects a computer it places a copy of itself in the hard drive as well as in memory. The active memory process monitors the hard drive copy and creates a new one if the old copy appears to have been deleted. This makes Ramnit a difficult to remove and persistent threat. Despite the operation conducted by Europol, people already infected by Ramnit remain vulnerable because the malware on their computers could be re-activated and do further damage.

The countries with the highest infection rate are:

  1. India- 27%
  2. Indonesia- 18%
  3. Vietnam- 12%
  4. Bangladesh- 9%
  5. U.S.- 6%

Infected machines in the U.K count up to almost 33,000. Europol is urging people to check their computers for Ramnit infections. A Ramnit removal tool created by Symantec can be found here. Most anti-malware programs detect Ramnit including Emsisoft Anti-Malware.

It is expected that Ramnit infections should drop considerably after the seizure of the infrastructure used by the cybercriminals behind the botnet.

The Europol Operation

Europol began this operation after being informed by Microsoft about the rising number of Ramnit infections. Europol have successfully seized servers used by the cybercriminals in four countries. Hundreds of domains being used by the botnet operators were also taken down.
Microsoft also filed a lawsuit in the U.S. federal court by Microsoft and the Financial Services Information Sharing and Analysis Center.
As of now there have been no arrests, but there is an ongoing British investigation regarding this issue.
Europol hopes that this operation will safeguard U.K and several other countries from further Ramnit based attacks.

A promising statement by Wil van Gemert, the Europol deputy director of operations suggests continued action against cybercriminals:

“We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety of cybercrimes … our aim is to protect people around the world against these criminal activities”

In 2012, Ramnit managed to steal over 45,000 Facebook logins which clearly demonstrated the dangers posed by this network. Hopefully this new operation and continued checks by Europol and other authorities will bring an end to this threat.

Have a nice (malware-free) day!