Last week, European law enforcement shut down a botnet of 3.2 million computers with help of Microsoft, Symantec, and Anubis Networks. Ramnit and its dangers have been known for five years. Although it started as a simple worm, it evolved into a complex virus that used several methods to get information from its victims and spread.
There were six modules to Ramnit:
Spy module- Ramnit would watch what pages were viewed by its victim and manipulate web forms on certain pages to get extra information. For example, it could add a “credit card number” field to an account creation page, and send that value back to the hackers.
Cookie grabber- It sent cookies from its victims to the hackers, so they can steal authentication to banking sites.
Drive scanner- Scanned the victim’s hard drive and sent files back to the hackers, specifically from folders likely to hold sensitive information.
FTP server- Created an FTP server on the user’s computer, so hackers could upload and download files from it with ease.
VNC- Allowed hackers to VNC into the victim’s computer at any time.
FTP grabber- Would grab credentials for FTP servers that the victim had access to.
Ramnit was spread via infected files hidden in downloads on compromised websites, including several public FTP servers, compromised due to the FTP grabber. It evades most anti-virus programs, because it also copies itself to memory, so if it is wiped from the victim’s hard drive, it will re-install itself.
It was taken down when police forces in Germany, Italy, the Netherlands, and the U.K. seized the servers the hackers were operating on.