Online banking comes under fresh security attack

An 18 month old file infecting worm Win32.Ramnit has morphed into financial malware and is actively attacking banks to commit online fraud. Ramnit configurations captured and reverse engineered by Trusteer were found to incorporate tactics from the Zeus financial malware platform.

Ramnit has borrowed from Zeus the ability to inject HTML code into a web browser, which it is using to bypass two-factor authentication and transaction signing systems used by financial institutions to protect online banking sessions.

The financial malware version of Ramnit was discovered by a zero-day anomaly detection system and remote incident investigation system. Ramnit’s command and control servers are located in Germany and are currently live. According to the Symantec Intelligence Report for July, Ramnit accounts for 17.3 percent of all new malicious software infections.

This number is consistent with other findings that tens of thousands of machines used for online banking are currently infected with Ramnit.

Ramnit was first detected in 2010 and targets .EXE, .SCR, .DLL. .HTML and other file types. File infection is an old school virus technique that is rarely seen in modern financial malware. The evolution of Ramnit into a fraud tool was made possible when the source code of the notorious Zeus financial malware platform was made freely available on the Internet earlier this year.

Since then, fraudsters and malware authors have borrowed parts of the Zeus toolkit and incorporated into other malware. Researchers found the method used to configure Ramnit to target a specific bank is identical to the one used by Zeus. This allows fraudsters who have written configurations for Zeus to easily port their configuration to Ramnit.

The metamorphosis of Ramnit into financial malware is a sign of things to come now that the Zeus source code has been made openly available to anyone on the Internet. Unlike the past, when financial institutions had to defend against a limited number of malware platforms, attacks can now come from virtually any malicious software program — old or new. The malware distribution channel for fraudsters has increased in scale significantly.

Prior to founding Trusteer, Amit Klein was Chief Scientist at Cyota (acquired by RSA Security) a leading provider of layered authentication solutions. In this role, Amit researched technologies that prevent online fraud, phishing, pharming, He filed several patents in those areas during his time at Cyota. Prior to Cyota, Amit worked as Director of Security and Research at Sanctum (acquired by Watchfire) where he was responsible for the security architecture of all Sanctum products. Prior to Sanctum, Amit spent almost 7 years serving in the Israeli Army as a research officer and project manager. He is a graduate of the prestigious Talpiot programme of the Israeli Army. He holds a B.Sc. (cum laude) in Mathematics and Physics from the Hebrew University (Jerusalem). Amit is also a world renowned security researcher, having published over two dozen articles, papers and technical notes on the topic of Internet security.