Ramnit is the name of a rootkit family, which is composed of a sophisticated virus-mutated rootkit, which tends to infect files with polymorphic code and then locks them to disk (some versions lock to disk).
What’s more? Now, it has a troubleshooting module, increased anti-detection capability, enhanced encryption & malicious payloads, and better-written polymorphic code.
“Ramnit is a frequently updated threat which gets updated by its developer every day,” said Tim Liu of the Microsoft Malware Protection Center in a blogpost on Thursday.
Ramnit originated in 2010, and focused on stealing personal credentials, and banking mining (laundering money).
“It looks like the troubleshooting module has become a common feature in recently developed botnets. The malware authors are analyzing the error reports and making the botnet component more stable,” Liu said.
A new payload module, Liu said, is called Antivirus Trusted Module v1.0; Ramnit kills all antivirus processes through this module, though only AVG AntiVirus 2013 has been moved into the module to date, Liu said.
Linux users and developers alike can expect some trouble with a new rootkit on the move. This time, it’s working as an iFrame attack on HTTP servers. The sample itself is pretty dynamic overall, and has the ability to infect Linux successfully AND hide its presence on the system.
The attack is characteristic of a drive-by download scenario, in which the rootkit attempts to attack an HTTP server through iFrame-related injections. Now for the dirty details…
- Attempts to ‘call’ modules in the file system by using set_http_injection_conf, start_get_command_web_injection_from_server_thread, cs:start_get_command_web_injection_from_server_value, hide_folder_and_files, hide_process_init, etc.
- It currently works on Debian Squeezy kernel version 2.6.32-5-amd64 (at least it matches).
- Unstripped coding size is 500K.
- Some functions are not fully working, so some have assumed it is in development stages or not fully complete.
- Adds startup entry to /etc/rc.local script:
- Uses one of two methods to retrieve kernel symbols to /.kallsyms_tmp:
/bin/bash -c cat /proc/kallsyms > /.kallsyms_tmp
/bin/bash -c cat /boot/System.map-`uname -r` > /.kallsyms_tmp
- Other than that, it does a good job trying to hide files/folders/processes/etc.
- The inject mechanism is neatly designed as a PHP script, which is pretty common for contemporary injections.
- Substitutes the TCP building functions by tcp_sendmsg to its own function.
- Once the C&C callback is done on the command server, the command server sends back malicious code specific for the situation.
- Probably being used in cybercrime operations rather than just targeted attacks.
- A Russia-based attacker is likely. Experts are not revealing any names, and seCURE Connexion has no information sadly.
- This was discovered on Seclists’s Full Disclosure Mailing List.
Latest release of Fall Malware for 2012 from seCURE Connexion
The goal in releasing a comprised list of threats that security companies will be dealing with the most this Fall is to help instruct users on the latest vectors, so that they know how important it is to maintain an updated antivirus program.
Most of the malware threats listed below are audience aggregated, which means what most security companies are dealing with currently, and there is no hope of it ending anytime soon. These are in order of the most distributed.
KEY: Vir=Virus, Rtk=Rootkit, Trj=Trojan, WM=Worm, Adw=Adware, Spy=Spyware
- The Agent trojan is a backdoor proxy trojan, that attempts to change the proxy on the target computer to help redirect search results and browsing activity in attempts to mine money or bitcoins.
- Outlook: Seems this trojan is the most updated trojan ever seen, and will continue to be a problem with all of its low-to-medium risk threats.
- See Microsoft’s writeup
- Outlook: Sality has been a problem for a few years now, and it still will be a problem. It infects almost every user/system file on the operating system.
- See Microsoft’s writeup
- Outlook: TDL4 has continued to be a problem and will continue to be a problem as long as computers have a working master boot record.
- See Microsoft’s writeup
- Outlook: Fake or rogue antivirus has been a problem for over four years of scamming users in to buying antivirus software. It will continue to be a problem for at least the next six months to a year.
- Second Opinion Malware Scanners: Why buy one? (secureconnexion.wordpress.com)
- FAQ: How did Sirefef or ZeroAccess Infect You? (secureconnexion.wordpress.com)
- New Java vulnerabilities found just after release of recent update (secureconnexion.wordpress.com)
- New TDL4 variant affecting government, ISPs, etc. (secureconnexion.wordpress.com)
- Modern Malware and the Balance Between IDS and IPS (thethreatvector.wordpress.com)
TDL4 is the newest type of the TDSS rootkit, which is a classic rootkit malware/virus that has been infecting computers and constructing a botnet since 2006. Now, with its new dangerous properties, it has the ability to sneak in to government agency computers, ISPs, and even popular companies. It uses stealthy properties and exploits to get itself installed, where it can hide itself in a different partition on the computer or create its own partition.
The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies and ISPs, the Damballa researchers said in a research paper released Monday.
In collaboration with researchers from the Georgia Tech Information Security Center (GTISC), the Damballa researchers registered some of the domain names the new threat was attempting to access and monitored the traffic it sent to them.
TDL4, also known as TDSS, is considered to be one of the most sophisticated malware threats ever created and used by cybercriminals – without counting threats like Stuxnet, Flame,Gauss and others that are believed to have been created by nation states for cyberespionage purposes.
TDL4 is part of a category of malware known as bootkits – boot rootkits – because it infects the hard disk drive’s Master Boot Record (MBR), the sector that contains information about a disk’s partition table and the file systems. The code that resides in the MBR is executed before the OS actually starts.
Much of this information pulled from TechWorld.
One of the newer partition infections includes a dropper located at c:\windows\svchost.exe
Protect your computer from rootkits by the makers of TDSSKiller, Kaspersky Lab for only $59.95 (a $79.95 value):
- Elusive TDL4 malware variant infected Fortune 500 companies, government agencies (infoworld.com)
- TDSS Malware Infecting Fortune 500 Includes Evasion Tactic (eweek.com)
- Elusive TDL4 malware variant infected Fortune 500 companies, government agencies, researchers say (pcadvisor.co.uk)
By Jay Pfoutz
Apparently, the new showy security threat is Rakshasa… At Black Hat Las Vegas, this new security technique was unveiled.
This new malware by researcher Jonathan Brossard is apparently ‘impossible to disinfect’.
Now, FIRST OF ALL!! – Anything created with man’s hands can be destroyed. I’d like to see this opinion last: undetectable, can’t be disinfected, etc.
The paper on Rakshasa can be found here. It describes a hardware backdoor. Unbeknownst to this artist researcher, companies like Kaspersky or ESET have already begun to craft hardware antivirus drivers. So, this backdoor hardware malware scheme is a bit late, but maybe just in time, too.
Will it be used? Who knows. That’s the scary part!
It is realistically a BIOSkit, a rootkit that infects the BIOS of the computer. What’s wrong with this…? It can be easily disinfected by flashing all of the devices of the computer, which apparently would be infected.
However, this malware has not been tested in an enterprise-based beta, which means just because it worked on a couple of machines does not mean it would work on any other computer. Impressive? Yes! But, not at all scary, yet.
What makes me more shocked, is that people will actually believe that this malware will not be able to be disinfected. But, this is the turnaround: it can be! This is nothing more than a BIOSkit, and we have seen BIOSkits removed in our leagues many times.
But, then again, people commonly believe rootkits are impossible to be removed too. Look…we proved them wrong!
By inflicting code signing for BIOS, just like all other hardware driver signing, can easily keep it blocked. Also, if BitLocker evolves in Windows 8 and further technologies, it could easily secure the OS. Also, things like device encryption, could be taken to a new level.
This is not a new vulnerability, and Brossard agrees.