Ramnit evolves into a financial malware (Aug 25, 2011)

SonicWALL UTM Research team received reports of a new variant of Ramnit malware spreading in the wild.

The Ramnit malware family is known for following capabilities:

• File infector: infects files with EXE, DLL, SCR, HTM and HTML extensions by appending its code.
• Network propagation: Spreads via network shares and USB devices.
• Backdoor: Creates a backdoor where it can receive remote instructions.
• Steals FTP credentials and browser cookies.

The latest variant also incorporates Zeus-like Man-in-the-Browser (MitB) web inject functionality to steal Online Banking credentials. It is highly likely that some modules of the Zeus source code (leaked earlier this year) have been integrated into it.

The sample under investigation performs following activities on the infected system:

• Creates a copy of itself as (Local Settings)Tempdbsoowwjviewtmlp.exe (random filename generated per system).
• Initiates two instances of svchost.exe processes and injects code into it.
• Infects executable files having .EXE and .DLL extensions by appending malicious code to the files. Below is a sample list of files under Program Files that were infected:
  • AdobeReader 9.0ReaderLogTransport2.exe
  • AdobeReader 9.0Readerpe.dll
  • AdobeReader 9.0Readersqlite.dll
  • Common FilesAdobeAcrobatActiveXAcroIEHelper.dll
  • Common FilesAdobeAcrobatActiveXAcroPDF.dll
  • Common FilesAdobe AIRVersions1.0Resourcestemplate.exe
  • Common FilesDESIGNERMSADDNDR.DLL
  • Common FilesJavaJava Updatejusched.exe
  • Common FilesMicrosoft SharedMSDesigners7MSVCP71.DLL
  • Common FilesMicrosoft SharedOFFICE11MSO.DLL
  • Common FilesMicrosoft SharedOFFICE11MSSOAP30.DLL

  The infected executable files will have an additional section containing malicious code:

  
  

• Makes registry modifications to launch itself upon system reboot. It also disables the Windows Safe Mode feature by deleting registry keys from following locations:
  • HKLMSYSTEMControlSet001ControlSafeBootMinimal
  • HKLMSYSTEMControlSet001ControlSafeBootNetwork
  • HKLMSYSTEMCurrentControlSetControlSafeBootMinimal
  • HKLMSYSTEMCurrentControlSetControlSafeBootNetwork

  Subsequent attempts to reboot infected system in Safe Mode will result in Blue Screen of Death (BSoD) crash.

  
  

• Opens a backdoor Secure FTP server on TCP port 22 on the infected system.

  

• Connects to a remote C&C server at carr(REMOVED)ezz.com using SSL connection to receive instructions.

SonicWALL Gateway AntiVirus provides protection against this threat via following signatures:

• GAV: Ramnit.D (Trojan)
• GAV: Ramnit.D_2 (Trojan)