The Ramnit botnet has been shut down in a joint effort by the Europol and the security firms Symantec, Microsoft, and Anubis Networks.

Another success For the Europol and its allies Microsoft, Symantec, and Anubis Networks. The organizations in a joint effort have shut down command and control servers of the popular Ramnit botnet. The Joint Cybercrime Action Taskforce* (J-CAT) and CERT-EU also provided a significant support to the operations.

“On 24 February, Europol’s European Cybercrime Centre (EC3) coordinated a joint international operation from its operational centre in The Hague, which targeted the Ramnit botnet that had infected 3.2 million computers all around the world.” states the official announcement issued by the Europol.

According to cyber security experts, the Ramnit is one of the world’s biggest botnets, which infected up to 3.2 million machines worldwide.

b1

The group behind Ramnit botnet seems to be active since 2010, but quickly evolved in the time thanks continuous improvement. A botnet could be used for several fraudulent activities, Ramnit one was mainly used by crooks for financial frauds.

Police enforcement from several European countries, including Germany, Italy, the Netherlands, and the UK, have seized the control infrastructure for the Ramnit botnet.

“Representatives from the various countries, Microsoft, Symantec and AnubisNetworks worked together with Europol officials to shut down command and control servers and to redirect 300 Internet domain addresses used by the botnet’s operators.” reported the Europol.

Europol Deputy Director Operations, Wil van Gemert, has expressed its satisfaction for the operation highlighting the importance of collaboration between several entities to fight the criminal ring operating the Ramnit botnet.

“This successful operation shows the importance of international law enforcement working together with private industry in the fight against the global threat of cybercrime,” said Wil van Gemart.

“We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety of cybercrimes,” 

Symantec published a blog post in which describes the evolution of the Ramnit agent since 2010, The experts revealed that the malicious code and its controllers rapidly evolved over the time.

The latest variant of Ramnit (W32.Ramnit.B) has abandoned the file infection routine and implemented a range of several alternative infection methods.

“Ramnit (W32.Ramnit) began life as worm, first appearing in 2010 and spreading quickly due to aggressive self-propagation tactics. Once it compromised a computer it sought out all EXE, DLL, HTM, and HTML files on the local hard disk and any removable drives and attempted to infect them with copies of itself. ” reported Symantec.

Symantec explained that the Ramnit malware is composed of six standard modules, “Spy module,” “Cookie grabber,” “Driver scanner,” “Anonymous FTP server,”VNC module,” and FTP grabber.

Microsoft and Symantec have released a removal tool for Ramnit, users that fear their computer may have been infected, could download the software. For further information please visit www.getsafeonline.org or www.cyberstreetwise.com.

b2

Pierluigi Paganini