- Jan 24, 2011
- 9,378
The operators behind Ramnit malware stole banking information through a network of compromised computers that extended all over the world.
On Wednesday, Europol announced that 300 command and control servers for a large Ramnit botnet had been shut down, in an operation that engaged the efforts of private companies Microsoft, Symantec and AnubisNetworks.
Up until the takedown, the malware was believed to present little risk, especially since most antivirus products included detection for it.
In a blog post on Monday that talked about a custom Zeus admin panel infected with Ramnit, researchers at RSA said that reports about the malware had become a rarity in the past two years, “falling far below the 1% share of malware variants reported in the wild.”
Dynamic IPs make it difficult to track infected machines accurately
The exact size of the dismantled botnet is somewhat unclear, with Symantec reporting a network of 350,000 computers, while Microsoft indicated more than 500,000 machinesbeing infected in the past six months.
We turned to AnubisNetworks for details on this matter, and although the company could not disclose information from its Cyberfeed live threat intelligence feed service, it did say that both Symantec and Microsoft may be right in their assessment.
The infections are determined by unique IPs, but many Internet Service Providers (ISPs) have a dynamic scheme for providing them, and upon restarting the computer, a new address is assigned. This influences the results because the same machine can have multiple IPs in a period of time.
Also, multiple machines could be behind the same address, assigned to an Internet gateway device.
AnubisNetworks says that Microsoft may have relied in their estimation on the Key Performance Indicators (KPIs) available on the Windows machines
Infections detected in at least 28 countries
The information gathered by AnubisNetwork showed last week a peak at 350,000, but it was even higher in the past.
As far as geographical distribution of the infected computers is concerned, the company saw that most of the compromised systems were located in Indonesia, 90,925 accounting for 26,27%, which is consistent with Symantec's data.
Next came India with 80,144 infections (23,16%), and at a larger distance, Vietnam, with 34,708 (10,03%); Algeria (19,817 - 5,73%) and Thailand (16,747 - 4,84%) completed the top five list.
Read more: http://news.softpedia.com/news/Ramnit-Botnet-Extended-Across-the-World-474378.shtml
