Symantec, Microsoft Support Global Ramnit Botnet Takedown

A global law enforcement operation struck a blow at the servers supporting Ramnit, a dangerous botnet with malicious toolsets that give criminals the ability to steal account credentials and manipulate banking websites.

The global sweep conducted Wednesday seized the notorious botnet’s command-and-control infrastructure. It was led by Europol’s European Cybercrime Center and supported by Microsoft, Symantec and AnubisNetworks. Ramnit infected 3.2 million computers globally and used phishing emails with malicious links to attack websites to infect Windows PCs.

Servers were seized in Germany, Italy, the Netherlands and the United Kingdom, according to Europol.

[Related: Zeus Banking Malware Active Despite Recent Botnet Takedown]

Sponsored post

Security researchers actively monitoring the botnet have noted its significant growth in recent years. In addition to monitoring browsing sessions and stealing account credentials, the malware gives attackers the ability to remotely manipulate an infected system and in some cases impersonate the victim to make fraudulent wire transfers.

’The group has been in operation for at least five years and in that time has evolved into a major criminal enterprise,’ said Symantec, which developed a tool designed to remove the Ramnit botnet’s malware from infected systems. ’It is hoped that today’s operation will strike a significant blow against the resources and capabilities of the gang.’

Symantec said Ramnit first appeared in 2010, spreading quickly by seeking out and infecting removable drives with copies of itself. The malicious tools associated with the botnet include a spy module capable of monitoring victim browsing habits. A session cookie grabber aids in impersonating the victim by seizing on authenticated sessions.

The botnet’s success elevated it into the limelight with security firms estimating that at one point Ramnit malware variants accounted for more than 17 percent of malicious software blocked by antivirus vendors. It was connected to a global campaign to steal FTP account credentials.

It 2012 Ramnit malware was linked to a campaign against Facebook users, stealing as many as 45,000 account passwords in an attempt to spread through malicious links sent to the account holder connections.

Financially motivated cybercriminals often infiltrate small and midsize businesses by targeting employees with system privileges. Last year, the U.S. Justice Department detailed how the Zeus banking Trojan was responsible for bilking a plastics manufacturer of more than $375,000.

Solution providers tell CRN that law enforcement operations have a positive short-term impact on cybercriminal operations. Business owners need to carefully assess whether the investments that have already been made are properly deployed and configured and determine whether any significant gaps exist, said Kevin Wheeler, founder and managing director of Dallas-based information security services company InfoDefense. Organizations often don’t have advanced threat detection capabilities enabled in security appliances or don’t have critical components fully functioning, Wheeler said.

’Senior management is often worried about the performance impact on the environment, but in most cases the technologies are pretty safe to turn on,’ Wheeler said. ’You need to constantly assess whether systems are properly configured and whether changes to the environment have changed the size of your attack surface.’

When organized cybercriminals begin to have a major financial impact on large enterprises, it prompts interest in striking against the infrastructure supporting the attack campaigns. Microsoft has been working with cooperation from financial services firms and pharmaceutical companies to use the court system and seize command-and-control servers associated with botnets that peddle spam and support phishing campaigns and malware. In 2013, it took out the dangerous Citadel botnet, which was behind the Zeus Trojan family of banking malware, and in previous years at least six other botnets were temporarily disrupted. The campaigns are seen as a temporary success. Often, organized cybercriminals recover parts of their infrastructure and eventually regroup and ramp up new attack campaigns.

In an operation supported by Microsoft, the ZeroAccess clickfraud botnet was disrupted at the end of 2013, wiping infections from 500,000 PCs. Researchers estimated that the attackers behind ZeroAccess earned as much as $1 million a day at the peak of its operations.