A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18529  by EP_X0FF
 Fri Mar 15, 2013 2:56 am
kmd wrote:does anybody have new ramnit from this mmpc blog entry?

http://blogs.technet.com/b/mmpc/archive ... -town.aspx
It isn't really new :)

For AV kill see driver from this attach -> http://www.kernelmode.info/forum/viewto ... 832#p10832
It is still the same "Demetra" module. Ramnit receives list of processes in IrpDispatchRoutine and passes it to special procedure that starts system thread. This thread does infinite loop of ZwQuerySystemInformation with ProcessesAndThreads flag, scan set on a short delay. Then it compares process names with received by using RtlEqualUnicodeString. If they are equal malware attemtps to terminate this process -> PsLookupProcessByProcessId -> ObOpenObjectByPointer -> ZwTerminateProcess. Driver has unload procedure :)
 #23475  by patriq
 Wed Jul 30, 2014 6:49 pm
BOT Ramnit first appeared ~ April 2010, as a file infector infects pe32 (. exe,. scr and. dll) and HTML-documents. Now this multi-bot that can steal sensitive data, such as FTP-accounts and browser cookies. During the summer of 2011 ramnit reached its peak population, occupying more than 17% of all infections. clear, however, that the botnet owners could not be udovletovreny only one taking this mark, and the region of interest Malvar moved from one infection and identity theft to attacks on financial institutions, borrowing some of the modules of the leaked Zeus. In this article we will dive deeper into the analysis of Ramnit, the functionality in each of its components. You'll see how powerful it has become a beast, and we shed light on its probable development.
hxxps://damagelab.org/index.php?showtopic=25315&st=0&p=142266&#entry142266

Anyone have a sample of this new version?
 #23478  by EP_X0FF
 Wed Jul 30, 2014 7:06 pm
It is not a new version. This trash multiple times attached here including file infector and driver agent for unknown reasons they call it "rootkit" - Demetra.

This "article" is a translated to Russian VB nov 2012 original article by Chao Chen from Fortinet. Assume it coru.ws plagiarism as they didn't provided any links or credits to original author.

https://www.virusbtn.com/virusbulletin/ ... Ramnit.dkb
 #25499  by baordog
 Tue Mar 24, 2015 9:32 pm
egyp7 wrote:> Assume it coru.ws plagiarism as they didn't provided any links or credits to original author.
I'm sorry for this offtop, but you're wrong in that opinion. All creds was saved, in the end of translated article by member of coru.ws was posted original source of research :
3. ЗАКЛЮЧЕНИЕ
С момента своего первого открытия в апреле 2010 года, Ramnit стал мощным ботом с расширяемой модульной архитектурой, интеграцией сложных компонентов и создает значительную угрозу информационной и финансовой безопасности частных лиц и учреждений.
Учитывая быстрое распространение Ramnit через трюки из социальной инженерии и периодические улучшения модулей, вполне вероятно, что битва против Ramnit только начинается.
NOVEMBER 2012 VIRUS BULLETIN
What is coru.ws? Looks like Russian anon.
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10