Win32/Ramnit

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32.Ramnit

Post by EP_X0FF » Fri Mar 15, 2013 2:56 am

kmd wrote:does anybody have new ramnit from this mmpc blog entry?

http://blogs.technet.com/b/mmpc/archive ... -town.aspx
It isn't really new :)

For AV kill see driver from this attach -> http://www.kernelmode.info/forum/viewto ... 832#p10832
It is still the same "Demetra" module. Ramnit receives list of processes in IrpDispatchRoutine and passes it to special procedure that starts system thread. This thread does infinite loop of ZwQuerySystemInformation with ProcessesAndThreads flag, scan set on a short delay. Then it compares process names with received by using RtlEqualUnicodeString. If they are equal malware attemtps to terminate this process -> PsLookupProcessByProcessId -> ObOpenObjectByPointer -> ZwTerminateProcess. Driver has unload procedure :)
Ring0 - the source of inspiration

rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: Win32/Ramnit

Post by rough_spear » Fri Jun 07, 2013 6:41 am

Hi All, :D

Here is Ramnit dropper.

MD5 - 6285bda905138b3f97c33198c7376104

VT link - https://www.virustotal.com/en/file/3866 ... 370586565/

Regards,


rough_spear. :)
You do not have the required permissions to view the files attached to this post.

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Win32/Ramnit

Post by patriq » Wed Jul 30, 2014 6:49 pm

BOT Ramnit first appeared ~ April 2010, as a file infector infects pe32 (. exe,. scr and. dll) and HTML-documents. Now this multi-bot that can steal sensitive data, such as FTP-accounts and browser cookies. During the summer of 2011 ramnit reached its peak population, occupying more than 17% of all infections. clear, however, that the botnet owners could not be udovletovreny only one taking this mark, and the region of interest Malvar moved from one infection and identity theft to attacks on financial institutions, borrowing some of the modules of the leaked Zeus. In this article we will dive deeper into the analysis of Ramnit, the functionality in each of its components. You'll see how powerful it has become a beast, and we shed light on its probable development.
hxxps://damagelab.org/index.php?showtopic=25315&st=0&p=142266&#entry142266

Anyone have a sample of this new version?

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Ramnit

Post by EP_X0FF » Wed Jul 30, 2014 7:06 pm

It is not a new version. This trash multiple times attached here including file infector and driver agent for unknown reasons they call it "rootkit" - Demetra.

This "article" is a translated to Russian VB nov 2012 original article by Chao Chen from Fortinet. Assume it coru.ws plagiarism as they didn't provided any links or credits to original author.

https://www.virusbtn.com/virusbulletin/ ... Ramnit.dkb
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4811
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Win32/Ramnit

Post by EP_X0FF » Tue Mar 03, 2015 9:53 am

Microsoft Malware Protection Center assists in disrupting Ramnit
http://blogs.technet.com/b/mmpc/archive ... amnit.aspx
Ring0 - the source of inspiration

User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: Win32/Ramnit

Post by R136a1 » Tue Mar 03, 2015 10:25 am

Dr.Web reports that it's not (entirely) dead: https://news.drweb.com/show/?i=9310&lng=en&c=14

malwarelabs
Posts: 44
Joined: Tue Dec 10, 2013 9:07 am

Re: Win32/Ramnit

Post by malwarelabs » Thu Mar 05, 2015 8:50 am

Fresh sample attached https://www.virustotal.com/en/file/edb8 ... 425300904/
pwd: infected
You do not have the required permissions to view the files attached to this post.

tim
Posts: 21
Joined: Sat Aug 31, 2013 8:38 am

Re: Win32/Ramnit

Post by tim » Thu Mar 19, 2015 10:42 pm

malwarelabs wrote:Fresh sample attached https://www.virustotal.com/en/file/edb8 ... 425300904/
pwd: infected
?
Is this actually new? it calls an old domain used by RAMNIT in the past and is sinkholed already ?

baordog
Posts: 1
Joined: Tue Mar 24, 2015 9:25 pm

Re: Win32/Ramnit

Post by baordog » Tue Mar 24, 2015 9:32 pm

egyp7 wrote:> Assume it coru.ws plagiarism as they didn't provided any links or credits to original author.
I'm sorry for this offtop, but you're wrong in that opinion. All creds was saved, in the end of translated article by member of coru.ws was posted original source of research :
3. ЗАКЛЮЧЕНИЕ
С момента своего первого открытия в апреле 2010 года, Ramnit стал мощным ботом с расширяемой модульной архитектурой, интеграцией сложных компонентов и создает значительную угрозу информационной и финансовой безопасности частных лиц и учреждений.
Учитывая быстрое распространение Ramnit через трюки из социальной инженерии и периодические улучшения модулей, вполне вероятно, что битва против Ramnit только начинается.
NOVEMBER 2012 VIRUS BULLETIN
What is coru.ws? Looks like Russian anon.

gritland
Posts: 31
Joined: Tue May 11, 2010 10:57 am

Re: Win32/Ramnit

Post by gritland » Thu Dec 17, 2015 12:20 pm

share please hooker.dll

Post Reply