Ramnit Worm Steals 45,000 Facebook Log-Ins
January 6, 2012

Ramnit Worm Steals 45,000 Facebook Log-Ins

A computer worm spreading on Facebook is stealing login credentials and associated email addresses acting as a back door to allow hackers to gain access to the infected computers, reports John Leyden for The Register.

Experts from online security firm Seculert, who found the controller node, have supplied Facebook with a list of the stolen credentials, primarily from France and the UK, found on the server. Ramnit was identified in April 2010 and is known to infect Windows executables, Microsoft Office and HTML files, Emma Woollacott reports for TG Daily.

“Ramnit started as a file infector worm which steals FTP credentials and browser cookies, then added some financial-stealing capabilities, and now recently added Facebook worm capabilities,” explains Aviv Raff, CTO at Seculert. “We suspect that they use the Facebook logins to post on a victim´s friends´ wall links to malicious websites which download Ramnit.”

The latest Ramnit configuration is bypassing two-factor authentication and transaction-signing systems used by financial institutions protecting online banking. The same technology, Seculert warns, might also be used to bypass two-factor authentication mechanisms, gaining remote access to corporate networks.

Members of Facebook are warned not to click on suspicious links and to become fans of the Facebook Security Page for additional security information, writes Chloe Albanesius for PC Mag. Vice president of security research at Zscaler ThreatLabZ, Michael Sutton, suggested that Ramnit is simply following the money and crowds of unsavvy social network users.

“Just as communication overall has shifted from traditional mediums such as email to social networks like Facebook, malware writers likewise are adopting their victim´s preferred means of communication,” Sutton said in a statement.

“Ramnit was not initially designed to harvest Facebook credentials, but the Ramnit maintainers have recognized the value of Facebook accounts for propagation.”

People are now less likely to click a random link via email, but trust is still relatively high on Facebook. “Receiving communication from a trusted contact on Facebook will have much higher click-through rates,” Sutton said.

“Victims are simply not aware that the ℠trusted´ Facebook account from which the communication was received, may itself have already been compromised.”

In general, Facebook is “doing a decent job of preventing such attacks, but it has so far been playing a losing game when it comes to preventing the social network from being used as a catalyst to promote attacks,” he concluded.


On the Net: