Good riddance, Ramnit. Europol's European Cybercrime Centre, or EC3, is reporting success on a coordinated joint international operation to take out the botnet, a term used to describe a network of infected computers. Ramnit was an especially pesky botnet, infecting an estimated 3.2 million computers worldwide.
EC3 organized the sting from its operational center in The Hague that relied on investigators from Germany, Italy, the Netherlands, the United Kingdom and private industry partners to bring the botnet down.
"This successful operation shows the importance of international law enforcement working together with private industry in the fight against the global threat of cybercrime," said Wil van Gemert, Europol deputy director of operations. "We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety of cybercrimes. Together with the EU Member States and partners around the globe, our aim is to protect people around the world against these criminal activities."
Targeting Windows Users
Ramnit was birthed as a worm that security firm Symantec said first surfaced in 2010. According to EC3, criminals used the Ramnit botnet to gain remote access and control of the infected computers, making it possible to steal personal and banking information, specifically passwords, and disable anti-virus protection. The botnet infected Facebook and other social media sites in 2012.
The insidious malware infected users running Windows operating systems and explored different infection vectors, including links contained in spam e-mails. "It spread quickly due to aggressive self-propagation tactics," Symantec said, "and once it compromised a computer it sought out all EXE, DLL, HTM, and HTML files on the local hard disk and any removable drives and attempted to infect them with copies of itself."
Symantec explained that Ramnit grew into a "fully featured cybercrime tool, featuring six standard modules that provide attackers with multiple ways to compromise a victim." There's a spy module, a cookie grabber, a drive scanner, an anonymous FTP server, a virtual network computing module and an FTP grabber. Microsoft and Symantec have released a remedy to clean and restore infected computers' defenses.
Microsoft Speaks Out
Microsoft, Symantec and AnubisNetworks worked together with Europol officials to shut down command-and-control servers and redirect 300 Internet domain addresses used by the botnet's operators. The Joint Cybercrime Action Taskforce also supported the operation. The Computer Emergency Response Team for the EU institutions, bodies and agencies relayed information on the victims to their peers, for risk mitigation purposes.
Microsoft also released a removal tool. That's important because, according to Redmond, the Ramnit threat tampers with anti-virus software and disables Windows Update to prevent computers from getting critical security updates through Windows Update and anti-virus software.
"During the past six months, Microsoft detected approximately 500,000 instances of computers infected with Ramnit," the company said in a blog post. "If you're using Windows 8 or later versions, Windows Defender is built-in. If you're running an older operating system, you can install Microsoft Security Essentials."