Ramnit Bot Returns with Improved Anti-detection Capabilities: MMPC
According to MMPC (Microsoft malware Protection Center), the creators of Botnet Ramnit - software used for filching victims' credentials and cookies as well as executing banking fraud - have overstepped the software's contamination abilities to currently concentrate on better eluding malware identifying solutions as well as for enhancing its ability to manage bots, thus published eweek.com in news on March 19, 2013.
Ramnit's developers, starting from 2010, have often made their program up-to-date, transforming its virus capability of file infections to an absolute bank-info stealing Trojan that drains victims' accounts. This technique thus enabled the botnet change to one profuse online attacker from an obsolete malware.
Presently, Ramnit has been updated to brag its 4 fresh upgrades each of them enhanced with rootkit capability such as concealing Ramnit's components on computers even with active security software. Furthermore, on linking up with its central C&C (command-and-control) system, Ramnit facilitates the disbursal of numerous process names of anti-virus products to the hijacked PCs amalgamated in the botnet through the means of backdoor ability.
Security Expert Tim Liu at MMPC states that whilst Ramnit becomes recipient of the process names, its kernel-mode and user-mode elements work towards halting any process that has a name from the former list. Threatpost.com published this in news on March 15, 2013.
Moreover, a troubleshooting program has been included into the botnet quite same as the one that Botnet Necurs used. This program finds out if there are any collapses by the malicious software's different modules, registers the same as well as transmits them onto the C&C structure prior to non-installation of certain buggy module.
It is amazing how the C&C structure-disbursed module gets encrypted (with an RC4 algorithm) on the hard-disk followed with its crafty loading, which blocks anti-malware defenses from recognizing it. Ramnit devises one unique working style that completes the job of module loading. Eventually, one recently emerging program, which has been named "Antivirus Trusted Module version 1.0," apparently has Ramnit shove its total anti-AV capabilities into it to experience hazardless botnet maintenance as well as getting those capabilities to become sturdier, notes MMPC in conclusion.