14 DAY TRIAL // Security vendor Trusteer warns about a file infector which in the past several weeks has begun to transition towards stealing financial information.
Dubbed Ramnit, the virus was first discovered in 2010 and infects executable and HTML files in order to spread. It also copies itself to removable drives and opens a backdoor on the infected computers.
"Although Ramnit employs old generation malicious techniques, we kept it on our malware radar, and a few weeks ago we started seeing something interesting. "Apparently, Ramnit morphed into a financial malware, or at least was used as a platform to commit financial fraud," Trusteer security researchers warn.
The malware communicates with the command and control server at all times over HTTPS, downloading updated instructions.
As most banking trojans, it features a man-in-the-browser web injection component which allows it to alter the pages users see in real time.
It can modify existent content or insert new fields into forms in order to trick victims to expose more sensitive information that banks wouldn't normally ask for.
This standalone component is called Zeus, which leads security researchers to believe that it was borrowed from the notorious crimeware toolkit with the same name.
"Since the Zeus source code is available for free and given the similarities between Zeus’ and Ramnit’s 'standard financial approach' and configuration format, we suspect the malware authors incorporated parts of Zeus into Ramnit," they write.
In addition to the Zeus component, Ramnit also has modules to steal FTP credentials, session cookies, kill antivirus products and open a FTP server on the infected machines.
This is not the first piece of malware repurposed for financial fraud. Back in May, Trusteer warned that a rather obscure trojan called Sunspot which was redesigned to carry out such tasks.