A worm initially deemed a low-level concern by some security firms has morphed into a serious threat to the banking industry.
Experts say that the cybercriminals behind the Ramnit worm have transformed it into financial-focused malware capable of draining bank accounts, using what may be bits and pieces of the publicly available Zeus malcode to make it more effective.
Ramnit surfaced in 2010 and, according to security experts, initially used an older generation of malicious techniques to infect Microsoft Windows executable files. Once infected, the malware was used to steal saved FTP credentials and browser cookies.
Security researchers at Boston-based desktop security vendor Trusteer Inc. have in recent weeks identified the new attack method built into the Ramnit worm. The added malicious code, which is still being analyzed by Trusteer, is suspected of coming from the Zeus Trojan family. It supports man-in-the-browser attacks, enabling cybercriminals to bypass two-factor authentication, modify Web pages and covertly insert banking transactions.
“Since the Zeus source code is available for free and given the similarities between Zeus’ and Ramnit’s standard financial approach and configuration format, we suspect the malware authors incorporated parts of Zeus into Ramnit,” wrote Trusteer Senior Malware Researcher Ayelet Heyman.
It’s unclear if the modified Ramnit malware has been used successfully in attacks in the wild. It has the ability to drain bank accounts while remaining “invisible to both the user and host application,” Heyman wrote. Researchers have been closely monitoring earlier versions of Ramnit because certain variants contained a backdoor to await instructions from a remote attacker.
Ramnit was added to the Microsoft Malicious Software Removal Tool in May. It made Microsoft’s Top 25 Infections list with more than 52,000 infections. “Ramnit is one of the four parasitic viruses out of the top 10 detected threat families,” Microsoft said in a post on its Malware Protection Center blog. Parasitic viruses are an older method of infecting computers. It uses executable files to remain undetectable by the user, but it often causes a machine to be sluggish or crash.
According to Microsoft, the authors of Ramnit have been experimenting with code variations during the past year, building in worm modules to help spread it using USB and network drives. The incorporation of the Zeus code is one of the authors’ latest iterations.
Following the leak of the Zeus attack toolkit source code in May, security experts have warned that new Zeus bot operators would surface. In addition, access to the source code gives malicious code writers the ability to make improvements to malware or add features. Earlier this month, the source code of Zeus rival SpyEye was leaked and researchers have discovered merged code, showing malware variants with both SpyEye and Zeus characteristics.