[EP_X0FF]

does anybody have new ramnit from this mmpc blog entry?

http://blogs.technet.com/b/mmpc/archive ... -town.aspx

It isn't really new :)

For AV kill see driver from this attach -> http://www.kernelmode.info/forum/viewto ... 832#p10832
It is still the same "Demetra" module. Ramnit receives list of processes in IrpDispatchRoutine and passes it to special procedure that starts system thread. This thread does infinite loop of ZwQuerySystemInformation with ProcessesAndThreads flag, scan set on a short delay. Then it compares process names with received by using RtlEqualUnicodeString. If they are equal malware attemtps to terminate this process -> PsLookupProcessByProcessId -> ObOpenObjectByPointer -> ZwTerminateProcess. Driver has unload procedure :)

[rough_spear]

Hi All, :D

Here is Ramnit dropper.

MD5 - 6285bda905138b3f97c33198c7376104

VT link - https://www.virustotal.com/en/file/3866 ... 370586565/

Regards,


rough_spear. :)

[patriq]

BOT Ramnit first appeared ~ April 2010, as a file infector infects pe32 (. exe,. scr and. dll) and HTML-documents. Now this multi-bot that can steal sensitive data, such as FTP-accounts and browser cookies. During the summer of 2011 ramnit reached its peak population, occupying more than 17% of all infections. clear, however, that the botnet owners could not be udovletovreny only one taking this mark, and the region of interest Malvar moved from one infection and identity theft to attacks on financial institutions, borrowing some of the modules of the leaked Zeus. In this article we will dive deeper into the analysis of Ramnit, the functionality in each of its components. You'll see how powerful it has become a beast, and we shed light on its probable development.

hxxps://damagelab.org/index.php?showtopic=25315&st=0&p=142266&#entry142266

Anyone have a sample of this new version?

[EP_X0FF]

It is not a new version. This trash multiple times attached here including file infector and driver agent for unknown reasons they call it "rootkit" - Demetra.

This "article" is a translated to Russian VB nov 2012 original article by Chao Chen from Fortinet. Assume it coru.ws plagiarism as they didn't provided any links or credits to original author.

https://www.virusbtn.com/virusbulletin/ ... Ramnit.dkb

[EP_X0FF]

Microsoft Malware Protection Center assists in disrupting Ramnit
http://blogs.technet.com/b/mmpc/archive ... amnit.aspx

[R136a1]

Dr.Web reports that it's not (entirely) dead: https://news.drweb.com/show/?i=9310&lng=en&c=14

[malwarelabs]

Fresh sample attached https://www.virustotal.com/en/file/edb8 ... 425300904/
pwd: infected

[tim]

Fresh sample attached https://www.virustotal.com/en/file/edb8 ... 425300904/
pwd: infected

?
Is this actually new? it calls an old domain used by RAMNIT in the past and is sinkholed already ?

[baordog]

> Assume it coru.ws plagiarism as they didn't provided any links or credits to original author.
I'm sorry for this offtop, but you're wrong in that opinion. All creds was saved, in the end of translated article by member of coru.ws was posted original source of research :

3. ЗАКЛЮЧЕНИЕ
С момента своего первого открытия в апреле 2010 года, Ramnit стал мощным ботом с расширяемой модульной архитектурой, интеграцией сложных компонентов и создает значительную угрозу информационной и финансовой безопасности частных лиц и учреждений.
Учитывая быстрое распространение Ramnit через трюки из социальной инженерии и периодические улучшения модулей, вполне вероятно, что битва против Ramnit только начинается.
NOVEMBER 2012 VIRUS BULLETIN

What is coru.ws? Looks like Russian anon.

[gritland]

share please hooker.dll