Facing down the Ramnit virus on Facebook

Facing down the Ramnit virus on Facebook: Tips for protection and clean-up

By Bob Eisenhardt

Takeaway: Bob Eisenhardt explains how the Facebook virus Ramnit works, why it’s so bad, and how it can affect much more than a Facebook account.

Ramnit is advertised as a lethal virus for attacking Facebook, having stolen 45,000 accounts and passwords. The virus itself is actually pulled from a used parts bin of older virus infestations such as the Zeus botnet. But it can now be controlled remotely for all kinds of mayhem too. According to Amit Klein, CTO of a web security services firm, last year it was just a nasty botnet. This new version has added power by being retrofitted with financial fraud capabilities. It can capture any data in any web session. Now, this writer has been a passionate HATER of cloud based computing, so in my view, having your data or (worse) sensitive client data stored through the Internet and accessed by HTML files, provides an open door for Ramnit, a truly awful threat to anything and everything web-based.

This monster begins by attaching itself to (as they always do) Windows files such as EXE, SCR and good old DLL files (when can we rid ourselves of those?) as well as Word documents. HTML files are also in this group, and it can now discover our handy pocket friend: USB cards. Once it has this new home, an autorun script ensures infection of whatever else our key is plugged into. Now resident in a system, it buries itself into the registry (nothing new there) and uses a hidden browser instance to connect to your friendly Hacker, and run scripts to find financial stuff and send it over to an eager thief. As Dr. Leonard McCoy said in STAR TREK IV: “Oh, joy.”

Ramnit leaves behind some classic symptoms of a virus. One user posted a note that his laptop was now clean (I doubt it) but he had one file named “yghaubfg.exe” and a folder “qdpnkxvp” on his system under Downloads. I am always amazed that hackers employ such obvious and fraudulent names for the files, for which we may be thankful. The latter file and directory name seem standard for Ramnit.

Cleaning up after Ramnit

Technicians love to spend hours on diagnostics and discovering how things work. While interesting, I prefer sanity to extended effort, so I endorse using a BartPE boot CD to clean your system. Better yet, maintain a GHOST image of your primary operating system drive and also have a redundant system, a secondary computer, to act as your station in case your primary fails. (A note on my preferred system configuration: my stations have two hard drives: OPSYS and STORAGE. The operating system drive contains just that and nothing else. STORAGE stores literally “everything else” inclusive of a ghost image. I highly commend this protocol).

The removal process is otherwise complex. One expert ran Avast antivirus, and a 2 hour scan revealed 4,300 infected files. Believe me that while re-installation may be the only option at this point, I commend a ghost image as discussed just above as a FAR better solution for rebuilding. This expert was also worried about .DOC and .HTML files being infected, which is another good reason for an independent backup location. Rolling back the registry to a restore point did not work either, all points having been deleted. (But Windows search still had the doggie. Go figure). Trust me, spending 30 minutes for a ghost image restore is a bargain of time utilization and keeps the stress level low.

Remedies for Facebook

All of which means that Facebook is nothing more than a really great delivery system for Ramnit to find other places to burrow into, which makes Facebook so damn dangerous. The worst of it is that people use it in their workplace. If your organization is into cloud computing, you have a really nice LEGAL exposure issue and a potential lawsuit in your future.

As for defense issues, the standard concepts of changing passwords every 30 days on Facebook is a good first, but simple step. A better step in the workplace is to lock out Facebook entirely, if it has no business use. There is an easy way to do this.

OpenDNS is a terrific web-management protocol, and has the paid program (inexpensive) has the ability to manage white and black lists. Implementing the DNS servers is simple. Once you have their DNS servers IP addresses, dig into the router or server, and replace your ISP DNS systems with their systems and voila! OpenDNS is your best friend. Dig into the Black list and add Facebook and whatever else you want. Users may scream, which is a good time to have them read not only this article but also anything describing the consequences of a lawsuit and unemployment benefits.

Danny Harris, security guru at Aon group, held a security seminar in 2003 that left the whole IT staff shaking their heads in shame. The bad guys are so good at what they do that our puny efforts seemed doomed to eternal failure. Case in point: virus code buried inside photographs that are impossible to see or detect. Same with the famous Facebook “two blondes” picture. Rule of thumb: someone sends you a picture: dump with freedom. The best rule is trust NOBODY and enjoy only your own photographs. On Facebook, this is a tall order indeed. Open a picture = hello Ramnit.

The root problem is that so we are Internet-web based for absolutely everything in life. Bill-paying is now the online way to live along with financial account access. Major banks have gotten better to a degree. If I try to access my accounts from another computer other than the one I have at home, the security protocols require a send and verify code to email, which is a great idea … unless someone hijacks my email too (from Facebook) and can get the code and impersonate me (from Ramnit) which is not farfetched idea at all. It really makes me long for my old DOS 3.2 computer in some ways.

Having scared myself to pieces, I created a GHOST image of this computer. Took 10 minutes to create = same to restore if I have to. Trust me, this is a far better, less stressful method to repair a computer.

Get IT Tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic’s free newsletters.

How do I remove a computer virus?

If your computer is infected with a virus, you'll want to remove it as quickly as possible. A fast way to check for viruses is to use an online scanner, such as the Microsoft Safety Scanner. The scanner is a free online service that helps you identify and remove viruses, clean up your hard disk, and generally improve your computer's performance.

If you're not sure whether your computer has a virus, see How can I tell if my computer has a virus? to check for some telltale signs. To try a different online scanner, follow the links to other companies that provide them on the Windows Security software providers webpage.

If you can connect to the Internet

If you can reach a website using your web browser, run an online scan.

To run the Microsoft Safety Scanner

1. Go to the Microsoft Safety Scannerwebpage to download the scanner.
2. Click Download Now, and then follow the instructions on the screen.

If you can't connect to the Internet

If you can't get to the Microsoft Safety Scanner online, try restarting your computer in safe mode with networking enabled.

To restart in Safe Mode with networking enabled

1. Restart your computer.
2. When you see the computer manufacturer's logo, press and hold the F8 key.
3. On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking, and then press Enter.
4. Log on to your computer with a user account that has administrator rights.
5. Follow the steps above to run the Microsoft Safety Scanner.

For more information about different startup modes, see Start your computer in safe mode.

If you still can't access the Internet after restarting in safe mode, try resetting your Internet Explorer proxy settings. The following steps reset the proxy settings in the Windows‌ registry so that you can access the Internet again.

To reset Internet Explorer proxy settings

1. In Windows 7, click the Start button . In the search box, type run, and then, in the list of results, click Run.
   -or-
   In Windows Vista, click the Start button , and then click Run.
   -or-
   In Windows XP, click Start, and then click Run.
2. Copy and paste or type the following text in the Open box in the Run dialog box:
   reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f
3. Click OK.
4. In Windows 7, click the Start button . In the search box, type run, and then, in the list of results, click Run.
   -or-
   In Windows Vista, click the Start button , and then click Run.
   -or-
   In Windows XP, click Start, and then click Run.
5. Copy and paste or type the following text in the Open box in the Run dialog box:
   reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f
6. Click OK.

Restart Internet Explorer and then follow the steps listed previously to run the scanner.

Remove a virus manually

Sometimes a virus must be removed manually. This can become a technical process that you should only undertake if you have experience with the Windows registry and know how to view and delete system and program files in Windows.

First, identify the virus by name by running your antivirus program. If you don't have an antivirus program or if your program doesn't detect the virus, you might still be able to identify it by looking for clues about how it behaves. Write down the words in any messages it displays or, if you received the virus in email, write down the subject line or name of the file attached to the message. Then search an antivirus vendor's website for references to what you wrote down to try to find the name of the virus and instructions for how to remove it.

Recovery and prevention

After the virus is removed, you might need to reinstall some software or restore lost information. Doing regular backups on your files can help you avoid data loss if your computer becomes infected again. If you haven't kept backups in the past, we recommend that you start now.

To learn how to help protect your computer against viruses in the future, see How can I help protect my computer from viruses?

Quick Analysis Of W32.Ramnit (aka DesktopLayer.exe)

Published on October 3, 2010 in Malware & Virus Analysing. 3 Comments Tags: DesktopyLayer.exe, fget-career.com, glavdmn.com, Ramnit, Worm.Ramnit, zahlung.name.

Recently I came across a malware sample which have made some suspicious network activity to a domain called zahlung.name. The domain name looks very suspicious (German word for “payment”) so I decided to take a closer look at the sample.

The Malware which I will talking about in this post is a Worm called W32.Ramnit. The Worm was first discovered in 2010 (in January by Synamtec and in August by McAfee).

*** Worm W32.Ramnit ***

Let’s take a quick look at the behavior of Ramnit. The Worm always installs itself into the same directory using the same filename:

C:\Program Files\Microsoft\DesktopLayer.exe

In this case the file has a very bad AV detection rate:

Filename: DesktopyLayer.exe

MD5: 8746774d1033048dcdc6f82ffaffd80d

SHA1: 142fca53e1ffd6b40803d7989417fd6e4fbab1b4

File size: 51’200 bytes

VT Result: 3 /43 (7.0%)

After the Worm infected the computer, it starts iexplore.exe in a invisible mode and injects itself into the process. In this way the Worm is able to bypass the local Firewall and communicate with it’s Command&Control Server (C&C).

As soon as the computer is infected, the Worm starts to spread itself by infecting all files on the victim’s computer which have the file extension EXE, DLL or HTML. For example, if Quick Time Player is installed on the victim’s computer the Worm will automatically search thru the directory and infecting the EXE, DLL and HTML files. Below is a screenshort of a clean systems (before the infection):

Followed by a screenshot of a infected system (same directory):

Note that the file size and date modified of the infected files has changed. The same goes for other directories with EXE, DLL or HTML files for example the Adobe Reader directory (before the infection):

And after infection:

Let’s compare the original (clean) files with the infected files which has been patched by Worm Ramnit:

*** QTTask.exe (Quick Time) ***

Clean

* MD5: 6df76965a0fb8237e9c3b3cab9815ec2

* File size: 413’696 bytes

* VT result: 0/41 (0.0%)

Infected

* MD5: c32b6f477c5454d4e2cded81e686036d

* File size: 466’944 bytes

* VT result: 38/42 (90.5%)

*** AGM.dll (Adobe Reader) ***

Clean

* MD5: 8f0b2030b5e42235c855a94a17f57118

* File size: 4’883’456 bytes

* VT result: 0/41 (0.0%)

Infected

* MD5: 833c79d662f8cc47579540dc03505419

* File size: 4’936’192 bytes

* VT result: 39/43 (90.7%)

As shown on Virustotal, the files which have been infected by the Worm are pretty good detected by most of the AV engines.

If we take a closer look into a infected HTML file we will see that the Worm has added a VB-Script at the end of the file:

<script type='text/javascript'>

<SCRIPT Language=VBScript>

If a user runs the HTML file, the VB-Script will drop a file called “svchost.exe” and infect the computer.

*** C&C Communication ***

The Worm is using it’s own proprietary protocol to communicate with the C&C server on port 443 (which is normally HTTPs). Since August 2010 I’ve seen three different domain names which are being used by Worm Ramnit:

• zahlung.name (Firstseen on 2010-10-01)
• glavdmn.com (Firstseen on 2010-09-16)
• fget-career.com (Firstseen on 2010-09-03)

I’ve Google for all three domain names and I haven’t found any evidence which would show that these domain names are malicious. But of course they are. Unfortunately, if we lookup those domain names on URLVoid it won’t look better:

• www.urlvoid.com/scan/zahlung.name [Detection: 1/17 (6 %)]
• www.urlvoid.com/scan/glavdmn.com [Detection: 1/17 (6 %)]
• www.urlvoid.com/scan/fget-career.com [Detection: 1/17 (6 %)]

It’s a pretty good example that sometimes the AV industry fails.

*** How the Worm spread itself ***

Worm Ramnit uses several ways to spread itself and infect other computers:

• Drive-By exploits
• Infecting EXE, DLL and HTML files on the victims computer
• Infecting removable medium including USB Stick, USB Harddrives and CDs

*** Conclusion ***

Due to the fact, that the Worm installs itself always as “DesktopLayer.exe”, it shouldn’t be to hard to identify infected systems. If you Google for “DesktopLayer.exe” you will see over 30’000 hits including users who complaining about the file “DesktopLayer.exe” which they just found on their computer. So it looks like the Worm is already pretty wide spreaded.

As already mentioned before, the Worm has various methods how he can spread itself. Mainly worms are a big problem for large networks (like coperate or governmental networks): If you have one infected computer the Worm will spread quickly within your network by infecting removable drivers or files one networks shares.

The mentioned C&C domain names which are associated with Worm Ramnit are already listed on AMaDa. Therefore you can use the AMaDa C&C Domain Blocklist to block C&C traffic or identify infected systems in your network.

Virus That Blocks Itself	Posted by ThreatSolutions @ 08:42 GMT

Virus:W32/Ramnit is no stranger to many malware analysts/researchers, as it was in the wild back in 2010.

Other malware researchers have blogged about the technical details of this interesting virus (here and here, for example); however there are still some noteworthy techniques — and an "easter egg" — waiting to be discovered.

One of the interesting techniques is the injection method that Ramnit uses. This differs from the traditional method, in which a virus would create a suspended thread and inject code using a memory writing Windows API function, then resume the suspended thread after the injection is done.

In this case, what makes Ramnit different is that it calls a Windows API function to spawn a new process, either the default web browser process or the Generic Host Process for Win32 Services, also known as svchost.exe. By injecting into this newly spawned process, the code is not easily visible to users and able to bypass the firewall.

Before this happens though, Ramnit installs an inline hook in an undocumented Windows native system service called Ntdll!ZwWriteVirtualMemory. The picture below depicts how this injection works:



The hooked Windows native system service redirects the code execution flow to the module defined in the caller process to perform the code injection routine. The injected code in the new process includes the capability for file infection (Windows executable and HTML files), as well as backdoor and downloader functionalities.

Another noteworthy detail in Ramnit is its "easter egg", found in the DLL that it injects to the processes mentioned above. The code snapshot below should explain everything:



Basically, this easter egg navigates to the registry key and looks for "WASAntidot":



When we try to create "WASAntidot" registry key on a test machine, we see this:



Voila! The machine is safe from Ramnit infection now!