Feeds

Dammit Ramnit! Worm slurps 45,000 Facebook passwords

Bank-raid malware is latest nasty to infect social networks

New hybrid storage solutions

A bank account-raiding worm has started spreading on Facebook, stealing login credentials as it creeps across the site, security researchers have revealed.

Evidence recovered from a command-and-control server used to coordinate the evolving Ramnit worm confirms that the malware has already stolen 45,000 Facebook passwords and associated email addresses. Experts from Seculert, who found the controller node, have supplied Facebook with a list of all the stolen credentials found on the server. Most of the victims are from either the UK or France.

Ramnit differs from other worms, such as Koobface, that have used Facebook to spread because it relies on multiple infection techniques and has only recently extended onto social networks. Koobface, by contrast, only uses Facebook or Twitter to spread.

"Ramnit started as a file infector worm which steals FTP credentials and browser cookies, then added some financial-stealing capabilities, and now recently added Facebook worm capabilities," Aviv Raff, CTO  at Seculert, told El Reg.

"We suspect that they use the Facebook logins to post on a victim's friends' wall links to malicious websites which download Ramnit," he added.

Ramnit first appeared in April 2010. By last July variants of the malware accounted for 17.3 per cent of all new malicious software infections, according to Symantec. A month later Trusteer reported that flavours of Ramnit were packing sophisticated banking login credential snaffling capabilities - technologies culled from the leak of the source code of the notorious ZeuS cybercrime toolkit at around the same time.

The new Ramnit configuration was able to bypass two-factor authentication and transaction-signing systems used by financial institutions to protect online banking sessions. The same technology might also be used to bypass two-factor authentication mechanisms in order to gain remote access to corporate networks, Seculert warns.

Invading Zuckerberg's Reservation

The move onto Facebook by the miscreants behind Ramnit seems designed primarily to expand the malware's distribution network and infect more victims.

"We suspect that the attackers behind Ramnit are using the stolen credentials to expand the malware’s reach," Seculert concludes, adding that capturing the login credentials of Facebook accounts creates a means to attack more sensitive accounts that happen to use the same email address and password combination.

"The cyber-criminals are also taking advantage of the fact that people usually use the same passwords for different web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks," it said.

The Ramnit outbreak on Facebook follows the November outbreak of an earlier worm that tried to infect victims with a variant of ZeuS.

"More and more malware families have started using social networks to reach victims instead of spam," Raff added.

In a statement, Facebook said it was applying security measures to contain the problem.

“Last week we received from external security researchers a set of user credentials that had been harvested by a piece of malware. Our security experts have reviewed the data, and while the majority of the information was out-of-date, we have initiated remedial steps for all affected users to ensure the security of their accounts. Thus far, we have not seen the virus propagating on Facebook itself, but have begun working with our external partners to add protections to our anti-virus systems to help users secure their devices. People can protect themselves by never clicking on strange links and reporting any suspicious activity they encounter on Facebook. We encourage our users to become fans of the Facebook Security Page (www.facebook.com/security) for additional security information.

Secure remote control for conventional and virtual desktops

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Enigmail PGP plugin forgets to encrypt mail sent as blind copies
User now 'waiting for the bad guys come and get me with their water-boards'
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.