Ramnit and its Pony module
In our automatic malware analysis tool we just have noticed an odd thing. When a Ramnit sample entered our sandbox, sometimes, activity of the password stealer trojan Pony was flagged, too. Since Pony can act as a downloader and can download additional malware into the infected computer, and Ramnit also has an extendable plugin interface, we were not sure if it is Pony downloading and spreading the Ramnit virus or it is the other way around. So we decided to investigate the case.
According to our sandbox, the Pony signature was detected in a running copy of svchost.exe, the very same process which hosted Ramnit:
Extract from our Sandbox
It was already suspicious, because as far as we knew, Pony is a standalone executable and should have had its own process. Obtaining a memory dump of svchost.exe we shortly realized that indeed we were dealing with a Pony variant that could fit as a plugin for Ramnit. It was compiled to a DLL with exported functions StartRoutine, StopRoutine, ModuleCode and CommandRoutine:
Stud_PE – exported functions of Pony dll
Ramnit has various well known modules that extends its capabilities:
These names like for example Cookie Grabber v0.2 (no mask) was not given by us. It is how the developers of Ramnit refer to it.
Ramnit uses RC4 to encrypt its traffic and in this sample the RC4 key “fenquyidh” was used. We were curious whether if there was any sign of a Pony module in Ramnit’s network communication, so we went through the generated pcap and found this bit:
Decoded Pony module within Ramnit’s network flow
So yes, apparently from now on we can count plus one module for Ramnit!
However the story is not over yet, because we wanted to also know what is the URL where this Pony module communicates to. In the standalone versions of Pony the URL was not really hard to find as it just appeared as a plain text in the executable. However in this one, searching for “http://” did not yield any result. Digging a little bit deeper we saw that in this variant URLs are encoded by an incrementing XOR 13 instruction:
URL decoding subroutine
3f8550602d29b9e6e94bc1f2899870ae Pony module, connects to hxxp://220.127.116.11/jaxx/about.php