In a coordinated a joint international operation utilising Europol’s European Cybercrime Centre (EC3), the Ramnit botnet has been disrupted to help disinfect 3.2 million computers.
Led by investigators from the UK and including Germany, Italy, the Netherlands and partners from private industry including Microsoft, Symantec and AnubisNetworks, the operations worked to shut down command and control servers and redirect 300 domain addresses used by the botnet’s operators.
The botnet was used to gain remote access and control of the infected computers, enabling them to steal personal and banking information, including passwords and disable anti-virus protection. It was capable of monitoring web browsing sessions and stealing banking credentials, and could steal website cookies allowing attackers to impersonate the victim, take files from the victim’s hard disk and grant the attackers remote access to the computer, allowing them to exfiltrate stolen information or download additional malware.
The group behind it has been in operation for at least five years. Symantec said that the authors have incorporated a number of features that make it difficult to banish from a compromised computer, as during installation, it will place a copy of itself into the computer’s memory as well as writing itself to the hard disk which actively monitors the hard disk and, if it detects that the hard disk-based copy has been removed or quarantined, it will drop another copy back on to the hard disk to keep the infection alive.
The effort was supported by the Joint Cybercrime Action Taskforce (J-CAT), located at Europol’s headquarters, while CERT-EU relayed information on the victims to their peers for risk mitigation purposes.
Wil van Gemert, deputy director operations at Europol, said: “This successful operation shows the importance of international law enforcement working together with private industry in the fight against the global threat of cyber crime.
“We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety of cyber crimes. Together with the EU Member States and partners around the globe, our aim is to protect people around the world against these criminal activities.”