MENU
AVP for Institutionalization 2018

DILG STRATEGIC DIRECTION AVP

ACG-CYBER SECURITY BULLETIN NO 139 UNDERSTANDING THE RISK OF RAMNIT MALWARE

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

The information provided was classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

RAMNIT malware is notorious for infecting Windows executable/s, Microsoft Office and Hypertext Markup Language (HTML) files.  It is known to steal user names, passwords, browser cookies and will also allow hackers to take control of the infected computer.  Yet another disturbing quirk of RAMNIT is that it keeps on replicating itself without the need to be attached to an existing program.  In a nutshell, the RAMNIT is known to spread across the internet rapidly.

RAMNIT malware executes once a user accesses the website in which it is hosted, after which it drops and executes, a malware which is notable for having high damage potential with both backdoor and information theft capabilities.  Said malware then uses command and control (C&C) communication to receive remote commands and send information such as stolen cookies and sensitive account data. It also injects malicious codes into bank webpages in order to access confidential client information from unsuspecting victims.

Furthermore, RAMNIT proves itself to be a stubborn malware by injecting itself into all running processes to remain memory-resident and deleting anti-virus related registry keys to make it undetectable.

RAMNIT’s ability to evolve and spread is a key factor to its prevalence.  It was a worm that propagated through removable drives and File Transfer Protocol (FTP) servers.  Cyber criminals have also expanded the malware’s capabilities by adding features such as web injection mechanisms, allowing it to compromise the websites of financial organizations or serves as banking trojan that stole user credentials and other personal information.

RAMNIT’s proliferation can be attributed to its wide variety of distribution channels, which includes traditional phishing scams such as email spam and social engineering attacks. As an infector, RAMNIT can easily spread to new victims who are unable to clean up the infected files, making them prone to reinfection.

This infection is designed to create havoc in the victims computer with multiple effects ranging from showing annoying messages and advertisements to disastrous effects like slow and sluggish performance.

 

RECOMMENDATION

            The public are advised to follow these tips to avoid being a victim of Ramnit Malware, to wit:

  • Avoid freeware download websites as they usually install bundled of software with any installer or stub file;
  • Keep your system updated through automatic windows update;
  • Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection;
  • Always have an Anti-Virus; and
  • Enable your popup blocker.

For additional information, please refer to the following websites:

  • https://blog.trendmicro.com/trendlabs-security-intelligence/ramnit-comeback-story-2016/
  • https://windowsreport.com/ramnit-malware-remove/
  • https://www.howtoremoveit.info/remove-ramnit-trojan-virus/

POINT OF CONTACT

            Please contact PCINSP ANGELICA STARLIGHT L. RIVERA, Chief, Personnel Records Management Section thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 7230401 local 3562 for any inquiries related to this CYBER SECURITY BULLETIN.