Ramnit,
it’s an evolution in Malware not a revolution. The creators of this
worm have used some of the best features of other Malware to include the
very
successful older version of Ramnit 1.0 and Frankensteined it into a
very efficient credential stealing application.
It
is so much easier and quicker to modify a successful malware
application than it is to recreate a new program from scratch. Another
advantage is since
this worm has been already launched in the wild the developers have the
advantage of knowing how to change the programs behavior and syntax to
make it once again undetectable to modern day IDS/IPS and antivirus
programs.
The
base design of Ramnit comes from an older worm that had its roots in
stealing financial information from compromised computers. The newer
version
incorporates several plug-ins that include a Man-in-the-Middle (MitM)
proxy, HTTP web injection, FTP server, and a communication link to a
Command and Control server. Ramnit uses older but proven techniques to
infect and hide itself on compromised systems
and is very clever in the way it collects and steals information from
the unsuspecting user.
Once
a user’s system is infected Ramnit will identify when the user visits a
site that requires identity verification. Ramnit will then take
advantage
of the built in MitM capability and inject code (HTTP injector plug-in)
into the users session.
Example:
User
logs into Facebook. Ramnit identifies the URL and intercepts the
Facebook log on page before it is sent to the user’s computer screen.
Ramnit will
then add and replace fields in the page and then send the user a
modified logon page that looks official but in reality will steal the
user’s log-in information and send it to a collections server on the
Internet to be used at a later date.
This
information is later loaded into scripts that crawl the web looking for
all banking and financial sites trying all of these captured accounts
in
hopes of successfully logging in to those sites with legitimate user
credentials with the intent of stealing / transferring money.
Ways to reduce your risk.
·
Use multifactor authentication: Example: VeriSign’s free VIP Access App (E-bay, PayPal)
·
Change
your passwords often. Use passphrases like
AmericanExpressDontLeaveHomeWithoutIt54321 or use the first letter of
song lyrics combined with numbers,
symbols, and Upper and Lowercase letters: Ptmywygmn665+1 (Try and
figure out that song)
·
Do not use the same password for multiple sites.
·
Keep your computer up to date with current patches.
·
Run your e-mail in text mode if possible.
·
Keep your computer up to date with current virus signatures.
·
Scan you e-mail (in text mode) and do not open e-mails from unknown users.
·
Scan you e-mail and do not open untrusted attachments.