Canadians are most of the victims as banking Trojan returns

A banking botnet that was taken down nine months ago by police in several European countries earlier this year has come back, with Canadians counting for over half the victims so far.

According to a post from IBM this morning, the Ramnit Trojan and botnet, which once spread malware from some 300 domain addresses, has a new variant and has been seen in attacks on banks and e-commerce transactions in Canada, Australia, the U.S. and Finland.

New Ramnit Emerges – Target Geo Distribution per URL Count (Source: IBM Trusteer)

(Graphic from IBM)

“The Ramnit botnet is communicating with new attack servers, employs a completely new and much shorter configuration file and uses a revamped webinjection scheme against its infected victims,” Limor Kessem, an IBM security evangelist wrote. “The new Ramnit also operates with a real-time webinjection server, selectively pulling attack schemes on the fly when infected users browse to a few major banks in Canada.”

When Ramnit was first discovered in the wild in 2010, she said, it was only the name of a worm used as an infection vector that leveraged the use of removable drives and network shares to spread to new endpoints. In 2011, Ramnit’s developers added code chunks borrowed from the leaked Zeus Trojan sources and turned it into a banking Trojan.

The new Ramnit variants discovered by IBM are identical to the previous ones in terms of their source code and behavior patterns, researchers said. The only changes are in the webinjections and the configuration file. As a number of other Trojans, like Shifu, Dridex and Neverquest, use the exact same webinjections and remote servers, IBM suspects gangs behind these are purchasing software-as-a-service (SaaS) from the same injection developer.

Typically the malware is spread through malvertising in email and social media, leveraging the Angler exploit kit.

In February Europol’s European Cybercrime Centre co-ordinated a joint international operation to take down the Ramnit botnet, which it said had infected 3.2 million computers around the world. It was led by police in Britain, authorities in Germany, Italy, the Netherlands and help from Microsoft, Symantec and AnubisNetworks.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now