Ramnit Trojan
The Ramnit trojan continues to evolve and is spreading by using a fake Facebook Messenger Android app. The trojan will remain on the device until connected to a computer. Once installed, the trojan will then copy itself to several locations.
The Ramnit Trojan is able to:
- Receive commands from remote attackers
- Capture screenshots from compromised computers
- Track the user’s keystrokes on the compromised computer
- Deliver additional malware
- Hide in applications
- Simulate user input
- Harvest system information
Ramnit exploits a vulnerability from 2010 (CVE-2010-2568). This will have the biggest impact against Windows 7 users. Ramnit has infected over three millions computers worldwide.
Ramnit has been observed actively targeting the Google Play store.
The file uses two tactics to inject itself into a system. Either by injecting VBScript code into an HTML page which executes the worm, or injecting an iframe into HTML files, which in turn downloads the relevant remote file, should the page be accessed.
Although it does not operate or run on Android, Google has detected it on content downloaded from their online store. It uses the Android operating system to spread to PC when they are connected.
As Ramnit infects all .exe, .dll, .htm and html files, it is near impossible to get rid of it manually and antivirus software is needed to remove the malware.
Remediation
To prevent and detect a Trojan infection, ensure that:
- A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
- All operating systems, antivirus and other security products are kept up to date.
- All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
- Strong password policies are in place and password reuse is discouraged.
- Network, proxy and firewall logs should be monitored for suspicious activity.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.