Bot of the day: Ramnit/Ninmul

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Bot of the day: Ramnit/Ninmul
Botnet
Malware Ramnit, Ninmul
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2011 / 18 juillet 2011
Editor/Conference
Link http://www.emergingthreatspro.com/bot-of-the-day/bot-of-the-day-ramnitninmul/ (Archive copy)
Author Matthew Jonkman
Type

Abstract

Ramnit is interesting because it tries to slide a command and control channel in on port 443 (SSL). Why port 443, a few reasons I might choose to do that:

  1. Many sites disable app processing on port 443 to save load on their IDS engine.
  2. Some old content filters used to just look at IP and nothing else for what they assumed was SSL.
  3. Port 443 is usually left wide open on firewalls that can’t proxy.

Bibtex

 @misc{Jonkman2011BFR810,
   editor = {},
   author = {Matthew Jonkman},
   title = {Bot of the day: Ramnit/Ninmul},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2011},
   howpublished = {\url{http://www.emergingthreatspro.com/bot-of-the-day/bot-of-the-day-ramnitninmul/}},
 }