The Return of Ramnit: Life After a Law Enforcement Takedown
Organized
cybercrime is known to attract the attention of international law enforcement
and regional counter-cybercrime task forces. Botnet takedowns are one of the
means by which police forces from around the world coordinate the disruption of
digital crime.
Cases of
botnet takedowns date back to a variety of spam zombie networks like Pushdo,
Rustock, Grum and Simda, and they have been expanded to include the more
complex task of taking down banking Trojan infrastructures.
Ramnit Gets Taken Down
So far,
the truly big cases have been the GameOver Zeus botnet, which relied on an
internal P2P scheme to run a more secure and resilient zombie bot army, and
Shylock, which was disrupted by British police, an international consortium of
law enforcement agencies and information security firms — and, of course,
Ramnit. Since then, police have taken down another botnet, NgrBot (aka
Dorkbot), as well.
In cases
where law enforcement intervened to take down the servers and future
communication domain rendezvous of banking Trojan operations, gangs did not
appear to recover. This is possibly because they wanted to escape attention
from law enforcement and potential legal consequences.
While
spam botnets have been known to come back from the dead, banking Trojan botnets
never have. Until September this year, takedown operations targeting major
financial malware were widely considered the death of the operation, making the
gang behind it lose touch with all its money-making zombies.
According
to IBM X-Force researchers, that may have officially changed in December 2015.
Not even a year after Ramnit was taken down, we are seeing what appears to be
the first real re-emergence of the banking Trojan botnet. The conclusion comes
from IBM X-Force malware researchers, who have found a new variant of the
Ramnit banking Trojan and botnet. Both are already active in attacks on banks
and e-commerce transactions in Canada, Australia, the U.S. and Finland.
Read more of this post here.
Comments
Post a Comment