A new type of malware currently threatening banks in the U.S. and U.K. contains features highly reminiscent of the infamous Zeus Trojan, a Trusteer researcher recently revealed
The Ramnit malware has been active for the past 18 months, Ayelet Heyman said in a blog post, but it only recently began to display some of the advanced techniques common to the more widely-known Zeus program.
"Since the Zeus source code is available for free and given the similarities between Zeus' and Ramnit's 'standard financial approach' and configuration format, we suspect the malware authors incorporated parts of Zeus into Ramnit. We are still investigating Ramnit's Zeus component," Heyman wrote, adding that the program's creators didn't even bother to rename the borrowed Zeus functionality.
The researcher described the malware's approach to hijacking banking information as "standard," using HTML injection to spoof login pages, edit transactions between the victim and the financial institution, and even create transactions of its own. What's more, all of this malicious activity is largely invisible to both the user and the affected web application, making infection comparatively difficult to detect.
Ramnit also phones home frequently, connecting to a C&C server to send reports and update its configuration, according to Heyman. The malware uses SSL technology to protect its communication, ironically taking advantage of a well-known security protocol to avoid detection.
Microsoft found that Ramnit's array of attack techniques also includes Office file infection, enabling it to be passed along via .doc and .xls files.
Ramnit is a good example of the threat posed by evolutions of older malware, which may not be tracked as assiduously as new infections by security professionals, but which nevertheless poses a significant data security risk.