The latest version of the Ramnit worm steals Facebook credentials and spams friends on the social-networking site to spread itself instead of relying on email, researchers said.
A new variant of the Ramnit
worm has managed to steal log-in credentials for several thousand Facebook
accounts, according to researchers at Seculert.
The latest Ramnit variant
stole more than 45,000 Facebook passwords and tried compromising other accounts
belonging to the victims, such as virtual private networks, emails and other
Web services, Seculert researchers
wrote Jan. 4. By examining the command-and-control
server associated with Ramnit, Seculert researchers were able to detect the
stolen credentials, most of which were from the United Kingdom and France.
Ramnit was first detected
more than 18 months ago and targeted online banking and FTP credentials by
infecting HTML files, Office documents and Windows executables, according to a
profile published in Microsoft Security Intelligence Report Volume 11. Ramnit
variants often abuse the Autorun feature and incorporate social-engineering
tricks to con users into helping the malware spread, according to Microsoft. It
can steal log-in credentials and browser cookies, as well as open a backdoor to
the infected machine.
"Recently, our research
lab identified a completely new 'financial' Ramnit variant aimed at stealing
Facebook log-in credentials," Seculert wrote.
analyzed a Ramnit
in June and found that it had "morphed" into malware
capable of financial fraud. The financial worm exhibited similarities with the
Zeus Trojan and was able to use the large infected base of machines to spam
users with malicious links, according to Trusteer. The variant found by
Seculert appears to be a more recent version targeting social-networking sites,
Attackers are also using the
stolen information collected by the newest Ramnit worm to log in to the
victims' accounts and send malicious links to all their friends to help spread
the malware, the researchers found.
It appears that
cyber-criminals are now experimenting with replacing the old-school email worms
with more up-to-date social-network worms, Seculert researchers said. Another
worm was detected in November by researchers at Denmark's CSIS which used a
similar method to spread on Facebook.
The Facebook worm
credentials and then spammed out malicious links to the victims' friends. The
links led to a supposed photo Website which downloaded a variety of malware on
users' machines, including a variant of the Zeus Trojan.
Malware writers need to
communicate with their victims to infect them and further propagate their
attacks, Michael Sutton, vice president of security research at Zscaler
ThreatLabZ, told eWEEK
users are shifting away from email to communicate on social networks, and
malware writers are making the same shift to adopt the victims' "preferred
means of communication," Sutton said.
While users recognize that
email can be easily spoofed and will often ignore suspicious messages, they are
less likely to ignore messages sent over Facebook, according to Sutton.
"Victims are simply not aware that the 'trusted' Facebook account from
which the communication was received may itself have already been
compromised," he said.
After stealing the
credentials, attackers tested the information to see whether users had reused
their passwords on other sites and applications, such as corporate email and
Gmail, according to Seculert.
A worm designed to steal
from financial institutions has evolved into a social-network threat, John
Weinschenk, CEO at Cenzic, told eWEEK
"Bank account numbers and Facebook log-in credentials seem very different,
but to hackers, they are equally as lucrative," Weinschenk said.
Users need to be vigilant
about changing passwords often, avoid clicking on unknown links and alert their
friends to a potential malicious link they might have posted, Weinschenk recommended.
Previous Ramnit variants infected
more than 800,000 machines in the last five months of 2011, estimated Seculert
researchers. A Symantec report from July estimated that Ramnit worm variants
accounted for 17.3 percent of all new malicious software infections.