{"id":29852,"date":"2013-09-30T09:32:00","date_gmt":"2013-09-30T16:32:00","guid":{"rendered":"http:\/\/blogs.mcafee.com\/?p=29852"},"modified":"2025-06-04T02:08:25","modified_gmt":"2025-06-04T09:08:25","slug":"ramnit-malware-creates-ftp-network-from-victims-computers","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/","title":{"rendered":"Ramnit Malware Creates FTP Network From Victims’ Computers"},"content":{"rendered":"

This blog post was written by Vikas Taneja.<\/em><\/p>\n

The Ramnit worm appeared in 2010. Within a year more than eight million PCs were infected worldwide. Initially the malware was just file infector spread by removable drives. Later it became better know for stealing user data via browser injection, targeting banking or game users.<\/p>\n

While reviewing the malware recently, we found new samples with active domains.<\/p>\n

Ramnit is still prevalent and old domains are regularly updated. Some of the domains have already been “sinkholed” (redirected to communicate only with a controlled server and not with its malicious developers) by other security researchers.<\/p>\n

Apart from its typical malware characteristics (infecting .exe\/html files, hooking Internet Explorer process) Ramnit sets up an FTP server on a victim’s machine. That FTP server becomes part of the RMNetwork FTP.<\/p>\n

This FTP server supports following commands:<\/h2>\n

USER, PASS, CWD, CDUP, QUIT, PORT, PASV, TYPE, MODE, RETR, STOR, APPE, REST, RNFR, RNTO, ABOR, DELE, RMD, MKD, LIST, NLST, SYST, STAT, HELP, NOOP, SIZE, EXEC, and PWD.<\/p>\n

Using these commands attackers can control the machine remotely, steal other sensitive files, and execute other malicious files. Infected machines that are firewalled or sit behind network address translation cannot “join” RMNetwork FTP, but they can communicate with the control server using TCP port 443 or 447 with custom encryption.<\/p>\n

By looking at the malware’s domain names, they seem to be created a domain generation algorithm. However, these active domains are hardcoded in the binary. This means new binaries are being created with the malware’s builder tool and are spreading by other malware or phishing scams. These domains are encrypted using the XOR algorithm with different keys for every sample.<\/p>\n

McAfee customers are already protected from this threat.<\/p>\n

 <\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

This blog post was written by Vikas Taneja. The Ramnit worm appeared in 2010. Within a year more than eight…<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,32,3952,180],"coauthors":[3973],"class_list":["post-29852","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-data-protection","tag-internet-security","tag-malware"],"acf":[],"yoast_head":"\nRamnit Malware Creates FTP Network From Victims' Computers | McAfee Blog<\/title>\n<meta name=\"description\" content=\"This blog post was written by Vikas Taneja. The Ramnit worm appeared in 2010. Within a year more than eight million PCs were infected worldwide. Initially\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ramnit Malware Creates FTP Network From Victims' Computers | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"This blog post was written by Vikas Taneja. The Ramnit worm appeared in 2010. Within a year more than eight million PCs were infected worldwide. Initially\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2013-09-30T16:32:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-04T09:08:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/wp-content\/uploads\/20130930-Ramniit-11.png\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"Ramnit Malware Creates FTP Network From Victims’ Computers\",\"datePublished\":\"2013-09-30T16:32:00+00:00\",\"dateModified\":\"2025-06-04T09:08:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/\"},\"wordCount\":297,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"keywords\":[\"computer security\",\"data protection\",\"internet security\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/\",\"name\":\"Ramnit Malware Creates FTP Network From Victims' Computers | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"datePublished\":\"2013-09-30T16:32:00+00:00\",\"dateModified\":\"2025-06-04T09:08:25+00:00\",\"description\":\"This blog post was written by Vikas Taneja. The Ramnit worm appeared in 2010. Within a year more than eight million PCs were infected worldwide. Initially\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Ramnit Malware Creates FTP Network From Victims’ Computers\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ramnit Malware Creates FTP Network From Victims' Computers | McAfee Blog","description":"This blog post was written by Vikas Taneja. The Ramnit worm appeared in 2010. Within a year more than eight million PCs were infected worldwide. Initially","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Ramnit Malware Creates FTP Network From Victims' Computers | McAfee Blog","og_description":"This blog post was written by Vikas Taneja. The Ramnit worm appeared in 2010. Within a year more than eight million PCs were infected worldwide. Initially","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2013-09-30T16:32:00+00:00","article_modified_time":"2025-06-04T09:08:25+00:00","og_image":[{"url":"https:\/\/www.mcafee.com\/wp-content\/uploads\/20130930-Ramniit-11.png","type":"","width":"","height":""}],"author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"Ramnit Malware Creates FTP Network From Victims’ Computers","datePublished":"2013-09-30T16:32:00+00:00","dateModified":"2025-06-04T09:08:25+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/"},"wordCount":297,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"keywords":["computer security","data protection","internet security","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/","name":"Ramnit Malware Creates FTP Network From Victims' Computers | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"datePublished":"2013-09-30T16:32:00+00:00","dateModified":"2025-06-04T09:08:25+00:00","description":"This blog post was written by Vikas Taneja. The Ramnit worm appeared in 2010. Within a year more than eight million PCs were infected worldwide. Initially","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/ramnit-malware-creates-ftp-network-from-victims-computers\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Ramnit Malware Creates FTP Network From Victims’ Computers"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/29852","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=29852"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/29852\/revisions"}],"predecessor-version":[{"id":215075,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/29852\/revisions\/215075"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=29852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=29852"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=29852"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=29852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}