Ramnit botnet assaulted by Europol operation

Europol and international law enforcement agencies have disrupted the activities of a botnet thought to have infected 3.2 million computers worldwide.
Written by Charlie Osborne, Contributing Writer

The Ramnit botnet has been disrupted in a joint operation of law enforcement agencies led by Europol.

Europol's European Cybercrime Centre (EC3) and law enforcement agencies from Germany, Italy, the Netherlands, and the United Kingdom have completed an operation to take down the botnet, which is believed to have infected 3.2 million computers around the globe. The successful project, revealed on Tuesday by Europol, involved taking down the botnet with the help of Microsoft, Symantec and AnubisNetworks.

The groups shut down the botnet's command and control servers and redirected a total of 300 Internet domain addresses used by criminal operators.

According to Symantec, the Ramnit botnet -- a web of infected and compromised 'slave' computers controlled by operators -- acquired fresh targets by infecting Windows PCs with malware through phishing campaigns and malicious websites. In addition, public FTP servers have been discovered distributing the malware.

Identified as W32.Ramnit.B , the botnet has been in operation for at least five years after first appearing as a worm in 2010. The botnet's capabilities were boosted after elements of the Zeus Trojan -- of which source code was leaked in 2011 -- were integrated.

Europol says botnet operators were able to gain remote access and control of the infected computers, enabling them to steal personal and banking information as well as disable antivirus protection. In addition, the botnet is capable of monitoring web browsing sessions, stealing web cookies to impersonate victims, and download additional malware. Symantec researchers say:

"Ramnit's authors have incorporated a number of features that make it difficult to banish from a compromised computer. During installation, it will place a copy of itself into the computer's memory as well as writing itself to the hard disk.
The memory-based copy actively monitors the hard disk and, if it detects that the hard disk-based copy has been removed or quarantined, it will drop another copy back on to the hard disk to keep the infection alive."

Ramnit has infected computers worldwide, with the worst affected countries including India, the US and Bangladesh.


Symantec says that while the amount of infected computers has decreased over time, the company still detected an average of 6,700 new infections in November 2014 -- which is lower than a daily average of 8,000 in May 2014.

Europol's Deputy Director Operations, Wil van Gemert, commented:

"This successful operation shows the importance of international law enforcement working together with private industry in the fight against the global threat of cybercrime. We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety of cybercrimes.
Together with the EU Member States and partners around the globe, our aim is to protect people around the world against these criminal activities."

If you believe you may have been infected, Symantec has provided a free removal tool which can be downloaded here.

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards