Computer Virus Turns Financial Malware
Computer security firm Trusteer revealed that an old generation virus first spotted in January 2010 has morphed into a financial malware.
According to Trusteer’s Ayelet Heyman, Ramnit can infect Windows executable files, HTML files, office files and possibly other file types as well.
“Although Ramnit employs old generation malicious techniques, we kept it on our malware radar, and a few weeks ago we started seeing something interesting,” Heyman said.
Ramnit accordingly morphed into a financial malware, or at least was used as a platform to commit financial fraud. Once installed Ramnit will continuously communicate with the Command and Control (C&C) server, reporting on its status and receiving configuration updates; inbound and outbound communication is over SSL (https).
Ramnit is said to be a “well-bred” financial malware as its authors followed the standard approach of malicious financial activities, supporting all basic features. The malware includes a Man-in-the-Browser (MitB) web injection module, which enables Ramnit to modify web pages (client-side), modify transaction content, insert additional transactions – all in a completely covert manner invisible to both the user and host application.
“While analyzing Ramnit’s malicious activities we noticed its configuration format is similar to the notorious Zeus’ and SpyEye financial malware platforms,” Heyman said.
Ramnit consists of several independent components. One particular component, named Zeus, caught Trusteer’s attention. It is the HTML injection engine used by Ramnit.
Since the Zeus source code has become available for free last May and given the similarities between Zeus’ and Ramnit’s “standard financial approach” and configuration format, the security firm suspects that the malware authors incorporated parts of Zeus into the financial malware.
Peter Kruse, a security researcher with CSIS, revealed in May that his team found the complete source code for the Zeus Trojan horse being distributed publicly across dark market forums as well as through other channels.
Trusteer said it is still investigating Ramnit’s Zeus component, but emphasized that customers running Trusteer Rapport are not vulnerable to this attack.
“Rapport blocks Ramnit from entering the browser, thus rendering the malware ineffective, financial-fraud-wise. Rapport also prevents machines from becoming infected with Ramnit,” it said.
In addition, Trusteer Pinpoint detects and reports in real-time behaviors of the financial malware when customers whose machines are infected with the worm log into an online banking application. Accordingly, this allows the bank to block the malicious activity generated by Ramnit.
The latest version of Ramnit consists of standalone modules (some bundled with the dropper binary, some are fetched from its C&C).