Ramnit Analysis V1

I recently wrapped up an analysis of a Ramnit sample. Here is a download link for the PDF version and a link for the Google Docs version. The analysis is kind of a hybrid of an incident response report and a description of interesting low level features. The analysis does not focus on functionality or commands of the malware but how the malware interacts with parts of the operating system. The sample is from 2010. I was hoping to have downloaded one of the newer samples featured by on Microsoft's Malware Protection blog but that didn't happen on my first sample download. Sadly by the time I realized the compile date it was too late. I was already way too curious how the sample worked to quit. If anyone has a hash of one of the newer samples featured on MS's blog please shoot me an email or leave a comment.  I'd like to look at the MITB injection features. 

Disclaimer: The PDF was exported from Google Docs. I have noticed sometimes the images won't render properly in Firefox pdf.js.


  1. Good work!
    Something puzzled me though, Ramnit and Koobface are supposed to be different malware families, no ? How do you explain that both names appear in VT results ? Is it a Koobface sample infected by Ramnit ?

    1. Hi. Thank you for the comment. I asked myself the same question. I still don't completely understand what is the difference between Koobface and Ramnit. One of the references I read mentioned that Koobface was spread through social networking sites such as Facebook and Twitter. But from a code perspective I do not know what the difference is. If I get around to a second version of this document I'll look into it.