A new variant of the Ramnit worm has managed to steal log-in credentials for several thousand Facebook accounts, according to researchers at Seculert.
The latest Ramnit variant stole more than 45,000 Facebook passwords and tried compromising other accounts belonging to the victims, such as virtual private networks, emails and other Web services, Seculert researchers wrote Jan. 4. By examining the command-and-control server associated with Ramnit, Seculert researchers were able to detect the stolen credentials, most of which were from the United Kingdom and France.
Ramnit was first detected more than 18 months ago and targeted online banking and FTP credentials by infecting HTML files, Office documents and Windows executables, according to a profile published in Microsoft Security Intelligence Report Volume 11. Ramnit variants often abuse the Autorun feature and incorporate social-engineering tricks to con users into helping the malware spread, according to Microsoft. It can steal log-in credentials and browser cookies, as well as open a backdoor to the infected machine.
“Recently, our research lab identified a completely new ‘financial’ Ramnit variant aimed at stealing Facebook log-in credentials,” Seculert wrote.
Trusteer researchers analyzed a Ramnit variant in June and found that it had “morphed” into malware capable of financial fraud. The financial worm exhibited similarities with the Zeus Trojan and was able to use the large infected base of machines to spam users with malicious links, according to Trusteer. The variant found by Seculert appears to be a more recent version targeting social-networking sites, instead.
Attackers are also using the stolen information collected by the newest Ramnit worm to log in to the victims’ accounts and send malicious links to all their friends to help spread the malware, the researchers found.
It appears that cyber-criminals are now experimenting with replacing the old-school email worms with more up-to-date social-network worms, Seculert researchers said. Another worm was detected in November by researchers at Denmark’s CSIS which used a similar method to spread on Facebook.
The Facebook worm stole user credentials and then spammed out malicious links to the victims’ friends. The links led to a supposed photo Website which downloaded a variety of malware on users’ machines, including a variant of the Zeus Trojan.
Malware writers need to communicate with their victims to infect them and further propagate their attacks, Michael Sutton, vice president of security research at Zscaler ThreatLabZ, told eWEEK. Internet users are shifting away from email to communicate on social networks, and malware writers are making the same shift to adopt the victims’ “preferred means of communication,” Sutton said.
While users recognize that email can be easily spoofed and will often ignore suspicious messages, they are less likely to ignore messages sent over Facebook, according to Sutton. “Victims are simply not aware that the ‘trusted’ Facebook account from which the communication was received may itself have already been compromised,” he said.
After stealing the credentials, attackers tested the information to see whether users had reused their passwords on other sites and applications, such as corporate email and Gmail, according to Seculert.
A worm designed to steal from financial institutions has evolved into a social-network threat, John Weinschenk, CEO at Cenzic, told eWEEK. “Bank account numbers and Facebook log-in credentials seem very different, but to hackers, they are equally as lucrative,” Weinschenk said.
Users need to be vigilant about changing passwords often, avoid clicking on unknown links and alert their friends to a potential malicious link they might have posted, Weinschenk recommended.
Previous Ramnit variants infected more than 800,000 machines in the last five months of 2011, estimated Seculert researchers. A Symantec report from July estimated that Ramnit worm variants accounted for 17.3 percent of all new malicious software infections.