The National Crime Agency (NCA) in a joint operation with Europol's European Cybercrime Centre (EC3) and law enforcement agencies from Germany, Italy, the Netherlands, and the United Kingdom has taken down the Ramnit "botnet", which has infected over 3.2 million computers worldwide, including 33,000 in the UK.
Alike GameOver Zeus, RAMNIT is also a 'botnet' - a network of zombie computers which operate under criminal control for malicious purposes like spreading viruses, sending out spam containing malicious links, and carrying out distributed denial of service attacks (DDoS) in order to bring down target websites.
RAMNIT believes to spread malware via trustworthy links sent through phishing emails or social networking sites, and mainly target people running Windows operating systems in order to steal money from victims bank accounts. Moreover, public FTP servers have also been found distributing the malware.
Once installed, the infected computer comes under the control of the botnet operators. The module inadvertently downloads a virus onto the victim’s computer which could be used by operators to access personal or banking information, steal passwords and disable anti-virus protection.
RAMNIT SHUT-DOWN IN AN OPERATION
In a statement
on Tuesday, Europol revealed that the successful take-down of Ramnit botnet involved the help of Microsoft, Symantec and AnubisNetworks. The groups shut down the botnet's command and control infrastructure and redirected traffic from a total of 300 domain addresses used by Ramnit criminal operators.
"This successful operation shows the importance of international law enforcement working together with private industry in the fight against the global threat of cybercrime," said Wil van Gemart, Europol's deputy director of operations. "We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety of cybercrimes."
NASTY FEATURES OF RAMNIT BOTNET
that Ramnit has been around for over four years, first originating as a computer worm. According to the anti-virus firm, Ramnit is a "fully-featured cybercrime tool, featuring six standard modules that provide attackers with multiple ways to compromise a victim." The features are:
- SPY MODULE - This is one of the most powerful Ramnit features, as it monitors the victim’s web browsing and detects when they visit online banking sites. It can also inject itself into the victim’s browser and manipulate the bank’s website in such a way that it appears legitimate and easily grab victim’s credit card details.
- COOKIE GRABBER - This steals session cookies from web browsers and send them back to the Ramnit operators, who can then use the cookies to authenticate themselves on websites and impersonate the victim. This could allow an attacker to hijack online banking sessions.
- DRIVE SCANNER - This scans the computer’s hard drive and steals files from it. The scanner is configured in such a way that it searches for specific folders which contain sensitive information such as victims’ passwords.
- ANONYMOUS FTP SERVER - By connecting to this server, the malware lets attackers remotely access the infected computers and browse the file system. The server can be used to upload, download, or delete files and execute commands.
- VIRTUAL NETWORK COMPUTING (VNC) MODULE - This feature provides the attackers with another means to gain remote access to the compromised computers.
- FTP GRABBER - This feature allows the attackers to gather login credentials for a large number of FTP clients.
WHY BOTNET RE-EMERGE AFTER TAKEDOWNS ?
According to the authorities, Ramnit botnet has been taken down, but is it guaranteed that the botnet will not re-emerged again? We have seen the took down of GameOver Zeus botnet by FBI and Europol as well, but what happened at last? Just after a month, GameOver Zeus botnet again came into operation with more nasty features.
So, What went wrong? Why Botnet take downs are ineffective? One reason could be that the organisations grab and take-down only a small fraction of command-and-control domains that build up the Botnet critical infrastructure, but leaves a majority of fraction active. This takes some months for a botnet operator to recover.
As more and more botnet networks are taken down by Law Enforcement, cyber criminals are increasingly using secondary communication methods, such as peer-to-peer or domain generation algorithms (DGA).
One of the main reasons that the Botnet re-emerged is because the author of the malware didn’t get arrested. No matter how many domains are taken down or how many sinkholes researchers create, if the attackers are not arrested, nobody can stop them from building new Botnet from zero.
On this we really appreciate the FBI step to reward $3 Million for the information leading to the direct arrest or conviction of Evgeniy Mikhailovich Bogachev, the alleged author of GameOver Zeus botnet that was used by cybercriminals to steal more than $100 Million from online bank accounts.