Ramnit in the UK

By Asaf Nadler and Lior Lahav

Ramnit is a family of trojans that allows attackers to remotely control infected machines, in order steal personal and banking information [1], and open backdoors to download additional malware [2].

Initial versions of Ramnit appeared in late 2011 and infected more than 800,000 Windows PCs [3]. In May 2018, Ramnit was observed in the “Black” botnet, and was responsible for infecting more than 100,000 machines [2]. In this blog, we’re going to look at how Ramnit communications can be detected, and examine a campaign in the United Kingdom that has been active since early 2018.

Ramnit DGA

Ramnit establishes a communication channel with its command and control (C2) servers using a domain generation algorithms (DGA), with code that was made publicly available by the DGArchive project [4]. The DGA is executed with a 32-bit input seed to generate domain names that the Ramnit bot will attempt to communicate with.

The DGA code has two for-loops. The external for-loop generates a stream of characters from a pseudo-random generator (PRNG) based on the seed. The internal for-loop selects the domain length that ranges between 9 and 18 characters and “cuts” the stream based on the length (as portrayed in Figure 1). For instance: for the 32-bit input seed 1, the first two generated domain names would be “sldusxpiusmyhu.com” (of length 14) and “ldusxpiusmyh.com” (of length 12).

Figure 1: Ramnit DGA generates a stream of characters using a PRNG and selects their length based on its input seed and the previous selection.

Attackers often provide a new secret input seed for new campaigns to distinguish the new campaign C2 domains from previous campaigns.

Security researchers who detect new Ramnit campaigns often extract the seed and share it with the security community. This enables security products and teams to create a list of soon to be generated domain names so they can be blocked ahead of time, thus preventing Ramnit from communicating with any its C2 servers. For example, : Netlab 360 has published 41 new Ramnit seeds since January 12 2018 (see the changelog on [7]).

Detecting Ramnit Campaigns

Akamai’s enterprise security research teams use several approaches to detect DGAs. Specifically for Ramnit, Akamai leverages its global visibility to discover seeds shortly after they emerge. The one such approach  starts with a brute-force execution of the Ramnit DGA for every seed in the 2 32 input space to generate the first 8-character prefix of the first domain name. Domain names are guaranteed to have at least 8 characters, and if a seed is actively used by Ramnit DGA, we expect to see a domain name in DNS traffic that starts with these 8-characters.

The first elimination of non-active seeds is conducted by removing seeds whose produced eight character prefix does not appear in the specific time window of DNS traffic. The remaining seeds are termed “candidate seeds” and there are approximately a few hundred for every execution, which is significantly less than 232≈ 4billion domain names.

The second elimination of non-active seeds involves generating the first N domain names for every candidate seed and removing seeds whose first N domains were not present in the time window DNS traffic. Our algorithm then blocks every domain name for active seeds.

The two elimination phases depend on the volume and geographical distribution of the observed DNS traffic. Akamai ingests 2.2 trillion DNS queries daily, so we have significant visibility to detect worldwide botnet campaigns. This technique used on Ramnit shares several similarities with the one used by Akamai to detect Locky ransomware, and was displayed in Botconf 2017 [6].

 

Figure 2: The detection algorithm generates the first 8 characters for every seed and crosses them with 8-character prefixes of domain names that were observed in traffic to eliminate non-active seeds. The remaining seeds are used to generate the first N domain names and if all N domains appear in traffic, these domain names are henceforth identified as Ramnit C2 domains and blocked.

 

In early 2018, the above mentioned detection algorithm discovered a seed that was likely used by Ramnit DGA to generate 51 domain names. These domains were requested in DNS traffic by at least 100 machines over the past few months, and are slowly decreasing to roughly 50 machines (see Figure 3). The binary sample of the Ramnit bot with the 4131145401 seed had previously appeared in VirusTotal and similar reports ([8] and [9]).

Figure 3:The number of unique users that accessed the 51 domain names that were generated by Ramnit (seed 4131145401) over the past 45 days

Summary and Takeaways

Ramnit uses a DGA to communicate with its C2 server. The DGA uses a PRNG with a 32-bit secret input that allows defenders to try all possible combinations by bruteforce to generate potential domain names. However, in order to narrow down the set of potential domain names to active domain names that resolve to a C2 domain, Akamai uses its global DNS visibility to eliminate the domains that are not observed in traffic. Doing so provides accurate threat intelligence to act upon Ramnit and other DGA botnet threats.

 

Botnets that use DGA – and Ramnit in particular – are here to stay. The evidence of the on-going UK-based Ramnit campaign supports this conclusion. It is important to use security products that are capable of detecting DGA botnets and acting upon them.

 

References

 

[1] https://www.f-secure.com/v-descs/virus_w32_ramnit.shtml

[2] – https://research.checkpoint.com/ramnits-network-proxy-servers/

[3] – https://en.wikipedia.org/wiki/Ramnit

[4] – https://johannesbader.ch/2014/12/the-dga-of-ramnit/

[5] – Plohmann, Daniel, et al. “A comprehensive measurement study of domain generating malware.” 25th {USENIX} Security Symposium ({USENIX} Security 16). 2016.

[6] https://www.botconf.eu/2017/math-gpu-dns-cracking-locky-seeds-in-real-time-without-analyzing-samples/

[7] https://data.netlab.360.com/dga/

[8] https://any.run/report/54bcc508ff9a16f372cef51e6c6f31ab050b7335d81a51f8858e23d714eaea26/8d4bccb8-78b3-46df-a30f-fb0f1371a0aa

[9] https://www.virustotal.com/#/file/ec51498ab080f34902f31a5516784eeded58ca7da0cc25f49117db3768248591/detection



*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Asaf Nadler. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/7C1aC-rrW-Q/ramnit-in-the-uk.html