1. /
  2. Security Response/
  3. W32.Ramnit

W32.Ramnit

Risk Level 2: Low

Discovered:
January 19, 2010
Updated:
March 2, 2015 11:03:26 AM
Type:
Virus
Infection Length:
10,240 bytes
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
CVE References:
CVE-2010-2568, CVE-2013-0422, CVE-2013-1493
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
2. Infection Method
2.1 Removable drives
2.2 Remotely exploitable vulnerabilities
2.3 File infection
2.4 Public File Transfer Protocol servers
2.5 Potentially unwanted applications
3. Functionality
3.1 System modifications
3.2 Network activity
3.3 Additional functionality
4. Additional Information




1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
As this threat spreads through removable drives, users are advised to take caution when connecting a removable drive to their computer. This threat can use the AutoRun feature in Windows to spread. It is a good security practice to disable this feature so that removable devices do not execute when they are inserted into a computer. It should be noted that the AutoRun feature is disabled by default for non-optical removable drives in recent versions of Windows and on computers with certain updates applied.

Removable drives should also be disconnected when not required and, if write access is not required, enable the read-only mode if the option is available on the drive.

Do not click on any links or advertisements if it is unclear if they come from trusted sources. The web browser will normally show where the link leads to when the user hovers over the link with the mouse. Users can also check online website-rating services such as safeweb.norton to see if the site is deemed safe to visit.

Do not install programs on your computer if you do not know where they come from. Be suspicious of files that are bundled with other applications and do not install them if you do not know what they are.


1.2 Patch operating system and software
Attackers have been observed spreading the threat through exploit kits hosted on malicious advertisements or compromised sites. These kits are designed to take advantage of any software bugs on your computer in order to install malware. You can prevent exploit kits from succeeding by keeping your operating system and software up to date.

It is recommended that users turn on automatic updates, if available, so that the latest patches and updates can be applied to their computer when they are made available.



2. INFECTION METHOD
The threat is distributed through removable drives (USB keys and network shares), public FTP servers, exploit kits served through malicious advertisements on legitimate websites or social media, and bundled with potentially unwanted applications.


2.1 Removable drives
The threat can use AutoRun to spread. AutoRun is a Windows feature that allows an executable to run automatically when a drive is accessed. The threat copies itself and an accompanying configuration file called autorun.inf to removable drives. An autorun.inf file is simply a text file that contains information that specifies how the file should be displayed, along with options for its execution.

This feature should be disabled so that files on removable devices do not execute when the device is inserted into a computer. The AutoRun feature is disabled by default for non-optical removable drives in recent versions of Windows and on computers with certain updates applied.

To spread itself, the threat may create the following files on any removable drive present:
  • %DriveLetter%\RECYCLER\[GUID]\[RANDOM CHARACTERS].exe
  • %DriveLetter%\RECYCLER\[GUID]\[RANDOM CHARACTERS].cpl
  • %DriveLetter%\autorun.inf
  • %DriveLetter%\Copy of Shortcut to (1).lnk
  • %DriveLetter%\Copy of Shortcut to (2).lnk
  • %DriveLetter%\Copy of Shortcut to (3).lnk
  • %DriveLetter%\Copy of Shortcut to (4).lnk


2.2 Remotely exploitable vulnerabilities
The threat may be propagated through exploits for the following vulnerabilities:

Attackers may try to serve exploits through malicious advertisements on legitimate websites and social media. Attackers may compromise the advertisements on these sites by injecting malicious code into them, which redirects visitors to another web page hosting the exploit kit. The kit then checks the user’s computer for potentially vulnerable programs and attempts to exploit them accordingly. This will allow the kit to drop the threat onto the computer.


2.3 File infection
The threat infects the following file types:
  • .exe
  • .dll
  • .htm
  • .html

If infected files from a compromised computer are shared, the threat can spread. Infected HTML files residing on a web server may be served to users of the web server, which may also help to further spread the threat.


2.4 Public File Transfer Protocol servers

The threat may also be spread by placing infected files on public FTP servers on compromised computers to spread to other computers.


2.5 Potentially unwanted applications
The threat may come bundled with other applications.



3. FUNCTIONALITY
When the threat is executed, it may perform the following actions:


3.1 System modifications
The following side effects may be observed on computers compromised by this threat:


File creation
The threat may create the following files on the compromised computer:
  • %UserProfile%\Start Menu\Programs\Startup\[RANDOM CHARACTERS].exe
  • %UserProfile%\[RANDOM CHARACTERS].log
  • %SystemDrive%\Program Files\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe
  • %ProgramFiles%\MNetwork
  • %CurrentFolder%\[INFECTED FILE NAME]Srv.exe
  • %DriveLetter%\autorun.inf
  • %SystemDrive%\Documents and Settings\All Users\Application Data\[EIGHT PSEUDO-RANDOM CHARACTERS].log
  • %UserProfile%\Application Data\[EIGHT PSEUDO-RANDOM CHARACTERS].exe
  • %UserProfile%\Local Settings\Temp\[EIGHT PSEUDO-RANDOM CHARACTERS].sys
  • %UserProfile%\Local Settings\Temp\[EIGHT PSEUDO-RANDOM CHARACTERS].exe
  • %SystemDrive%\Documents and Settings\All Users\Application Data\[RANDOM FILE NAME].log


Registry subkeys/entries created
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc


Registry subkeys/entries deleted
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\SOFTWARE
  • HKEY_LOCAL_MACHINE\SYSTEM
  • HKEY_LOCAL_MACHINE\HARDWARE
  • HKEY_CURRENT_USER\SOFTWARE


Registry subkeys/entries modified
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "%Windir%\system32\userinit.exe,,%SystemDrive%\Program Files\[RANDOM CHARACTERS]\[RANDOM CHARACTERS].exe"


MBR infection
The threat also infects the master boot record (MBR) so it can remain persistent on the compromised computer. It does this by moving the clean MBR to the end of the disk and then overwriting the original MBR with a malicious one.


3.2 Network activity
The threat may be controlled remotely by a command-and-control (C&C) server and it may be instructed to download and install various files to perform other actions on the compromised computer.


Command-and-control connections
The threat uses a domain generation algorithm (DGA) to generate a number of remote domains to connect to its C&C server. The threat is currently limited to creating 300 domains for each seed value of which one is hard coded into the threat.

The following are some example domains generated by the threat:
  • rmnzerobased.com
  • awecerybtuitbyatr.com
  • awrcaverybrstuktdybstr.com
  • qwevrbyitntbyjdtyhvsdtrhr.com
  • yeiolertxwerh.com
  • ytioghfdghvcfgbgvdf.com

The threat opens a back door on the compromised computer that allows it to receive approximately 21 commands, including the following:
  • Capture screenshots
  • Upload cookies
  • Gather computer-related information
  • Delete the root registry to prevent the computer from starting up
  • Request modules and module lists


FTP server
The threat utilizes its own FTP server that can be used to listen on TCP port 22 for commands and connections. The EXEC command can allow the attacker to execute commands through the running FTP server. The following commands are supported by the attacker’s FTP server:
  • USER
  • PASS
  • CWD
  • CDUP
  • QUIT
  • PORT
  • PASV
  • TYPE
  • MODE
  • RETR
  • STOR
  • APPE
  • REST
  • RNFR
  • RNTO
  • ABOR
  • DELE
  • RMD
  • MKD
  • LIST
  • NLST
  • SYST
  • STAT
  • HELP
  • NOOP
  • SIZE
  • EXEC
  • PWD


VNC server
The threat may also run a virtual network computing (VNC) server on the compromised computer. The VNC server is hard coded to listen on TCP port 23 and allows a remote attacker to gain access to the desktop of the compromised computer without authentication.


3.3 Additional functionality


Self-protection mechanism
To protect itself, the threat has a watchdog process that repeatedly sets registry subkeys to lower the security settings and ensure that the subkey used for persistence is intact. The threat keeps a copy of the installer in memory and checks if the copy of the threat on the disk is present. If the threat discovers that the disk-based copy of itself is missing, it will drop a new copy of the installer to the disk and launch the installer to infect the computer again.


Stealing cookies

The threat may steal cookies to hijack online sessions for banking and social media websites. The threat steals cookies from the compromised computer’s browsers, stores them in archive files, and sends them to the C&C server. The threat may steal cookies from Internet Explorer, Firefox, Opera, Flash, Safari, and Chrome.


Stealing login credentials
The threat may steal login credentials for a large number of FTP clients including, Windows/Total commander, FlashXp, FtpCommander, and SmartFtp. The threat accomplishes this by checking configuration files and registry hives for any of the applications.


Man-in-the-browser/webinjects
The threat may monitor a victim’s frequently visited websites, including online banking websites. When the threat recognizes that a victim is on a specific site, such as a bank, it will act as a man-in-the-browser (MITB) and inject code into the web page. The code will request that the user submit sensitive information not normally required during a standard login process. Any data entered by the user is collected and sent to the attacker.



The attacker can then use this information to access the victim’s credit cards and bank accounts. A typical webinject may modify a bank login web page to include requests for credit card details, date of birth, or even PIN codes for bank cards.


Stealing files
The threat may also steal files from the compromised computer. The threat scans for specific folders or files that may contain login credentials and then archives them and sends them to the C&C server. The threat accomplishes this by using the SHGetFolderPathA API with CSIDL_LOCAL_APPDATA to locate the folder path. It then uses GetLogicalDriveStrings to find details on valid drives on the compromised computer and then checks the drive type through GetDriveType. If the type is DRIVE_FIXED, the threat will scan the drive.

The following are some example file name patterns that the threat tries to search for:
  • *wallet.dat
  • *pass*
  • *pass*.txt
  • *pass*.docx
  • *pass*.xlsx
  • *password*
  • *password*.txt
  • *password*.docx
  • *password*.xlsx
  • *passwords*.
  • *passwords*.txt
  • *passwords*.docx
  • *passwords*.xlsx



4. ADDITIONAL INFORMATION
For more information on this threat family, please see the following resources:

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver