Welcome back Ramnit – Anti-detection rootkit back in action

Ramnit is the name of a rootkit family, which is composed of a sophisticated virus-mutated rootkit, which tends to infect files with polymorphic code and then locks them to disk (some versions lock to disk).

What’s more? Now, it has a troubleshooting module, increased anti-detection capability, enhanced encryption & malicious payloads, and better-written polymorphic code.

“Ramnit is a frequently updated threat which gets updated by its developer every day,” said Tim Liu of the Microsoft Malware Protection Center in a blogpost on Thursday.

Ramnit originated in 2010, and focused on stealing personal credentials, and banking mining (laundering money).

“It looks like the troubleshooting module has become a common feature in recently developed botnets. The malware authors are analyzing the error reports and making the botnet component more stable,” Liu said.

A new payload module, Liu said, is called Antivirus Trusted Module v1.0; Ramnit kills all antivirus processes through this module, though only AVG AntiVirus 2013 has been moved into the module to date, Liu said.