The Ramnit worm, discovered in 2010, evolved after incorporating code from the notorious banking trojan Zeus.
The Ramnit worm, discovered in 2010, evolved after incorporating code from the notorious banking trojan Zeus.

An international effort by Europol and private companies, including Microsoft, has resulted in the take down of command-and-control servers for the Ramnit botnet.

On Wednesday, Europol announced that its European Cybercrime Centre (EC3) coordinated the endeavor, and that, since its emergence, Ramnit has infected an estimated 3.2 million computers worldwide.

The Ramnit worm, discovered in 2010, quickly evolved into malware capable of targeting financial information. In 2011, researchers discovered a Ramnit variant that incorporated source code from the banking trojan Zeus, and in 2013, analysts detected an even trickier iteration of the threat that used HTML injection to display subtle changes in banking sites, in order to lure users into revealing their one-time passwords (OTP) to fraudsters.

At the time, researchers at Trusteer told SCMagazine.com that, by beating two-factor authentication and obtaining OTPs, fraudsters could complete fraudulent wire transfers initiated during attacks.

In its Wednesday release, Europol said that, in addition to shutting down command-and-control servers, the takedown team redirected 300 Internet domain addresses used by botnet operators.

Ramnit has been used by cybercriminals to “steal personal and banking information, namely passwords, and disable anti-virus protection” of Windows users, Europol said, and is often spread through phishing emails or when users visit infected websites. Microsoft, Symantec and email security and threat intelligence provider AnubisNetworks (a subsidiary of BitSight Technologies) aided law enforcement in the U.K., Germany, Italy and the Netherlands.

Although Ramnit has been propagated by attackers to steal financial information, the malware has also been linked to campaigns targeting user login credentials for other services, notably Facebook and video game distribution platform Steam.

According to Symantec, which published an overview of Ramnit's evolution and impact on Wednesday, the malware's modules that were borrowed from Zeus “transformed the Ramnit botnet into a vast cybercrime empire, spanning up to 350,000 compromised computers at present, harvesting banking credentials, passwords, cookies, and personal files from victims.”

India, Indonesia and Vietnam have been hardest hit by Ramnit in recent times, Symantec added, as 57 percent of victims reside in the countries. Six percent of Ramnit victims are located in the U.S., the company found.