Sunday, January 8, 2012

Ramnit worm goes after Facebook credentials


A pervasive worm has expanded its reach to now steal login and password details for Facebook users, warned security vendor Seculert, which found a server holding 45,000 login credentials.

The worm, called Ramnit, infects Windows executables, Microsoft Office and HTML files, according to a profile published by Microsoft. It steals user names, passwords, browser cookies and can also function as a backdoor, allowing a hacker to do other malicious actions on an infected computer.

Researchers from Seculert discovered a command-and-control server for the worm and found that it had harvested some 45,000 credentials from Facebook users, mostly in the UK and France, according to its blog.
Aviv Raff, CTO and cofounder of Seculert, said Ramnit's authors may be finding that attacking social networks is a more productive way to collect people's sensitive data.

"We see a growing trend of malware writers embedding social networks in the malware instead of sending the malware itself via email spam," Raff said. "This is the same for Ramnit."

Once the Facebook login and password have been collected, it is suspected that the victim's account is then accessed and a link is posted on their Facebook profile that leads to Ramnit, which will try and infect the computer.

"We suspect that they use these credentials to continuously spread the Ramnit malware through Facebook," Raff said.

Another security vendor, Trusteer, noted last year that Ramnit appeared to have been modified in order to commit financial fraud, acquiring similar capabilities as the famous Zeus and SpyEye malicious software programs.

Ramnit can inject HTML fields into a Web page and ask for information on a banking site that would not normally be asked, Trusteer noted in a blog post on Aug. 22.

Seculert estimates that some 800,000 computers were infected with Ramnit between September through the end of December. A Symantec report from July 2011 put Ramnit as the most common piece of malware it blocked in June and July 2011.

Ramnit's mining of Facebook could yield passwords that people have re-used on other websites, a common mistake that gives hackers an easy in.
"Many users use the same password for Facebook and other organization web services, such as SSL VPN or Outlook Web Access," Raff said. The "attackers may use this to gain remote access to corporate networks. Same goes for their online bank account."