Thursday, January 12, 2012

Blackhole Ramnit - samples and analysis

Ramnit - a Zeus-like trojan/worm/file infector with rootkit capabilities has been in the wild for a long time but recently made news because Seculert reported about a financial variant of this malware aimed at stealing Facebook credentials.

While I did not see any Facebook related activity in my samples, I am posting them anyway for your research as their functionality is the same.

The samples I have are being spread not via Facebook but via Blackhole exploit kit, which is a very effective method. Blackhole exploit kit was associated with the spread of ZeuS, Spyeye, and it is not surprising that Ramnit is being spread in the same manner by the same groups. The group of command and control servers that I researched is associated with pharma spam and "Canadian" online pharmacies.

General File Information

File: 607B2219FBCFBFE8E6AC9D7F3FB8D50E
MD5:  607B2219FBCFBFE8E6AC9D7F3FB8D50E

File: c33e7ed929760020820e8808289c240e
MD5:  C33E7ED929760020820E8808289C240E

File: 76991eefea6cb01e1d7435ae973858e6   -  not analysed
MD5:  76991EEFEA6CB01E1D7435AE973858E6

File: 2ff2c8ada4fc6291846f0d66ae57ca37  -not analysed
MD5:  2FF2C8ADA4FC6291846F0D66AE57CA37


Download all the binaries and dropped files as a password protected archive (email me if you need the password)


The files analysed were / are being distributed via Blackhole exploit pack. It starts with the usual large letter message "Please wait page is loading" -then Java exploit launches and compromise takes place if the machine is vulnerable. . Here you can see the Blackhole domains spreading Ramnit in the Malwaredomainlist . domain belongs to a legitimate company and is registered in Arizona, while a subdomain is registered by some Ukranian guy. Not sure how they managed that.
Domains By Proxy, LLC
15111 N. Hayden Rd., Ste 160, PMB 353
Scottsdale, Arizona 85260
United States
Host unreachable -
VPS services
Vladimir Gubarenko
p/o box 8967
61106, Kharkov
phone: +7 4956637354
fax: +7 4956637354

Brief Analysis

 Hendrik Adrian from Japan posted his analysis of the same sample ( 0day.JP - Ramnit) where he described the files created by the malware and  the spam sending capabilities of the bot .

The bot deletes registry settings for the safe boot, which causes BSOD and prevents one from removing the malicious files in the safe mode.

2. Adds a Windows service  
Micorsoft Windows Service - note the spelling

3. Adds the following files (names vary)

File: vcryserj.exe
Size: 135680
MD5:  607B2219FBCFBFE8E6AC9D7F3FB8D50E
  • \Application Data\wduqtdai.log  - number of logs varies, contain encrypted data
  • \Application Data\xtyepaef.log number of logs varies, contain encrypted data
  •  \Temp\nhptugtstukgwpyi.exe - copy of the original
File: nhptugtstukgwpyi.exe
Size: 135680
MD5:  607B2219FBCFBFE8E6AC9D7F3FB8D50E
  • \Start Menu\Programs\Startup\vcryserj.exe - copy of the original 
File: vcryserj.exe
Size: 1356
MD5:  607B2219FBCFBFE8E6AC9D7F3FB8D50E
 File: dnsgvbny.sys
Size: 15360
MD5:  A6D351093F75D16C574DB31CDF736153

 Ramnit injects itself into two  svchost.exe processes and you  can see them if you sort all processes by PID, the last two will those created by Ramnit.

 It generates spam that it sends out on port 25, Hendrik already described this behavior in his post.

 The second file has file infector features I did not observe in 607B2219FBCFBFE8E6AC9D7F3FB8D50E.
As you see in the log below, malicious svchost.exe modifies or tries to modify every binary and HTML file by appending malicious code to each file or a vbs script to HTML files   -  like described in this post by ESET Win32/Ramnit.A. and here in the post by Avira  - Closer look at W32/Ramnit.C

This does not break the infected binaries, all files continue to work as designed, except they infect or reinfect the computer they are running on. Webmasters may upload infected html files and visitors of their sites may get infected as well. For an average user, it is impossible to clean a system compromised with Ramnit file injector and use it confidence. The only way is say good bye to all the HTM(L), DLL and EXE files and build a new system without trying to copy any hrml files, bookmark or applications.

Thsi is what happens with VirustotalUpload2.exe (and most other Programs including Adobe, MS Office and Windows files)
Submission date:
2012-01-10 04:29:25 (UTC)
Result:37 /43 (86.0%)
Print results
Antivirus     Version     Last Update     Result
AhnLab-V3     2012.01.09.00     2012.01.09     Win32/Ramnit.O
AntiVir     2012.01.10     W32/Ramnit.E
Avast     6.0.1289.0     2012.01.09     Win32:Ramnit-H
AVG     2012.01.10     Win32/Zbot.G
BitDefender     7.2     2012.01.10     Win32.Ramnit.N
ByteHero     2011.12.31     Trojan.Win32.Heur.Gen
CAT-QuickHeal     12.00     2012.01.09     W32.Ramnit.C
ClamAV     2012.01.10     Trojan.Patched-168
Commtouch     2012.01.10     W32/Ramnit.E
Comodo     11229     2012.01.10     TrojWare.Win32.Patched.SM
DrWeb     2012.01.09     Win32.Rmnet.8
Emsisoft     2012.01.10     Virus.Win32.Zbot!IK
eTrust-Vet     37.0.9672     2012.01.09     Win32/Ramnit.AJ
F-Prot     2012.01.09     W32/Ramnit.E
F-Secure     9.0.16440.0     2012.01.09     Win32.Ramnit.N
Fortinet     4.3.388.0     2012.01.10     W32/Ramnit.B
GData     22     2012.01.09     Win32.Ramnit.N
Ikarus     T3.     2012.01.10     Virus.Win32.Zbot
Jiangmin     13.0.900     2012.01.09     Win32/
K7AntiVirus     9.124.5897     2012.01.09     Trojan
Kaspersky     2012.01.10
McAfee     5.400.0.1158     2012.01.10     W32/Ramnit.b
McAfee-GW-Edition     2010.1E     2012.01.09     W32/Ramnit.b
Microsoft     1.7903     2012.01.09     Virus:Win32/Ramnit.AF
NOD32     6780     2012.01.10     Win32/Ramnit.H
Norman     6.07.13     2012.01.09     W32/Ramnit.AB
nProtect     2012-01-09.01     2012.01.10     Win32.Ramnit.N
Panda     2012.01.09     W32/Cosmu.L
PCTools     2012.01.10     Malware.Ramnit
Rising     2012.01.10     Win32.Ramnit.c
Symantec     20111.2.0.82     2012.01.10     W32.Ramnit.B!inf
TrendMicro     9.500.0.1008     2012.01.10     PE_RAMNIT.KC
TrendMicro-HouseCall     9.500.0.1008     2012.01.10     PE_RAMNIT.KC
ViRobot     2012.1.10.4872     2012.01.10     Win32.Ramnit.A
VirusBuster     2012.01.09     Win32.Ramnit.Gen.3
Additional information
MD5   : 25f6ee42d37e3f2f7dbe795e836d52e2


607B2219FBCFBFE8E6AC9D7F3FB8D50E - C&C is sinkholedC33E7ED929760020820E8808289C240E  - C&C is active

Despite the fact that the C&C for 607B2219FBCFBFE8E6AC9D7F3FB8D50E is sinkholed, it is still interesting to see the malware behavior when it tries to establish a connection with the server.

Ramnit samples used by the same group of attackers have overlapping set of C&C servers - the list is not the same but I found that my samples that are supposedly later version that Ramnit.AK have approximately 80% overlap in C&C list used by this RamnitAK binary described by Sophos .  I have combined the two lists and ran WHOIS queries to establish active C&C and their location and registration.

The communications with the sinkholed server below show that once the bot receives SYN command from the C&C, it sends 6 bytes of data. Exact same behavior is described in this analysis of  the binaries from Summer 2011  - with the only difference that the second packet sent by the bot was not 75 bytes but 149 bytes Bot of the Day: Ramnit/NinmulMonday, July 18th, 2011. If connection with the server is established, the traffic continues on on port 443, it is encoded but it is not SSL, it is some sort of custom protocol.

The bot is going through the list of domains trying to find those that are active. Most of the domains are not registered yet but the two currently active domains were registered on January 5 and 6, 2011. It appears that the attackers register new domains as soon as the lose any due to sinkholing and domain cancellations. Since all the domains have the most random names, they are not likely to be registered by someone else before they are needed. Having each binary to check a long list of domains makes the bot very noisy (consider making IDS signatures based on UDP port 53 thresholds) but it prevents the death of the botnet in case of the C&C loss. I have complied a list of approximately 400 domains with only 21 of them registered.   If you created DNS blocks or sinkhole domains, consider blocking or sinkholing all of them, not only active.
Domain name:  - Leaseweb Germany GmbH (previously netdirekt e. K.)
Registrar: Regtime Ltd.
Creation date: 2012-01-05
Expiration date: 2013-01-05

Domain Name:
    Domain Admin        (
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit
    Nobby Beach
    null,QLD 4218
    Tel. +45.36946676  - Leaseweb Germany GmbH (previously netdirekt e. K.)
Creation Date: 06-Jan-2012 
Expiration Date: 06-Jan-2013
 Communications with a sinkholed C&C and search for a new active server:

Bot <-> C&C communications on port 443

List of domains used by Ramnit binaries - feel free to pre-emptively sinkhole them. Part of them are from this Sophos analysis and part is from running these two binaries

Registered domains. See the text version below. The yellow/red entries show active C&C. All others are sinkholed or NXD'd.

As you notice, many domains are registered by "Aleksandr Bragilevskij"
Registrar: Regtime Ltd.
Creation date: 2011-12-03
Expiration date: 2012-12-03

    Aleksandr Bragilevskij
    Organization: Aleksandr Bragilevskij
    Address: 333 E 79th St # 1T,
    City: New York City
    State: NY
    ZIP: 10001
    Country: UM
    Phone: +1.2127332323
    Fax: +1.2127332323

Google Search for reveals that the same address was used to register fake Canadian pharmacy sites, which makes sense, considering the Viagra spam.
Markus Faizer
Pfizer International
333 E 79th St # 1T,
New York City
United States
Phone: +1.2127332323
Fax: +1.2127332323


No comments:

Post a Comment