'Ramnit' worm hijacks 45,000 Facebook logins

'Ramnit' worm hijacks 45,000 Facebook logins

Summary: A nasty piece of malware is siphoning usernames and passwords from Facebook accounts, mostly in the U.K. and France.

SHARE:

A nasty worm slithering through Facebook has successfully pilfered more than 45,000 usernames and passwords from users of the world's most popular social network.

Most of the Facebook victims are the the U.K. and France, according to researchers at Seculert.

The worm, called Ramnit, was first discovered around 2010 stealing FTP credentials and browser cookies from infected machines.

In 2011, the worm started hijacking financial data and by the end of the year, had been found on about 800,000 Windows computers.

Now, Seculert has discovered a new target -- Facebook usernames and passwords.follow Ryan Naraine on twitter

Recently, our research lab identified a completely new 'financial' Ramnit variant aimed at stealing Facebook login credentials. Since the Ramnit Facebook command-and-control URL is visible and accessible it was fairly straightforward to detect that over 45,000 Facebook login credentials have been stolen worldwide, mostly from users in the United Kingdom and France.

We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further. In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks.

The company has notified Facebook of the attack and provides the company with all the stolen credentials found on the worm's command-and-control server.

Topics: Malware, Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • RE: 'Ramnit' worm hijacks 45,000 Facebook logins

    "In 2011, the worm started hijacking financial data and by the end of the year, had been found on about 800,000 Windows computers." Is it safe to say that this worm affect only Windows users?

    It would be interesting to find out.
    Banzaii
    • Safe to assume yes

      @Banzaii
      It is a trojan after all. Just like OS X trojans only affect OS X users, this Windows trojan only affects Windows users. This trojan does not take advantage of any security vulnerabilities in Windows, it simply asks for administrative permissions through UAC and if it gets it, goes ahead and does its things with the permissions that the user has willingly given it.

      No OS can protect against this.
      toddybottom
      • RE: 'Ramnit' worm hijacks 45,000 Facebook logins

        @toddybottom
        Unless the worm is coded correctly so it doesn't prompt UAC.. Or it attaches itself to the user profile like many Fakeware does. In this case there's no UAC to trigger and the user is unaware.
        Anthony E
      • True in general, not in this case

        In general, all OSs allow users to choose to download and run programs without requiring root privileges. Windows is no different in this regard.<br><br>In this case though, the trojan attempts to spread itself by infecting executable files on the computer and since any properly coded application has an installer that does not allow regular user accounts to modify its executable files, Ramnit would be unable to do that one part of its job.<br><br>You are right though, a trojan could be written to do some nasty stuff without requiring elevated privileges on Linux, OS X, or Windows.
        toddybottom
      • RE: True in general, not in this case

        @toddybottom wrote:
        "a trojan could be written to do some nasty stuff without requiring elevated privileges on Linux, OS X, or Windows.

        It's already been done on both Windows and Mac OS X:

        "Zeus
        http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99&tabid=2

        "Mac Defender
        http://www.maximumpc.com/article/news/game_afoot_mac_defender_malware_already_evolving

        With it's 1-2 % market share, no one bothers with desktop Linux. Even Mac OS X gets very little attention relative to Windows.

        This is why Mark Russinovich of Microsoft doesn't refer to UAC as a security boundary. His expectation is that the malware miscreants will simply target standard user accounts. He was right and it's already started.
        Rabid Howler Monkey
  • if you're going to download and run just anything

    Then you should be using a very low priv account that lacks the ACLs to write to directories where executables are stored
    archangel9999
  • RE: 'Ramnit' worm hijacks 45,000 Facebook logins

    "'Ramnit' worm hijacks 45,000 Facebook logins"

    And still many sites like this one continue to promote joining Facebook!!!
    rocketman67
    • RE: 'Ramnit' worm hijacks 45,000 Facebook logins

      @rocketman67 ""'Ramnit' worm hijacks 45,000 Facebook logins"<br>Whats the ratio of 45,000 of over 800 million accounts?<br><br>And still many sites like this one continue to promote joining Facebook!!!"<br>Maybe I've missed those particular "promotions" by zdnet contributors to join FB, but I haven't seen zdnet advocating joining FB. I have seen, however, quite a few zdnet contributors not just advocating, but practially gushing over how great Google+ is and predicting G+ will be the end of FB.<br>Also (this wasn't something you mentioned, but I do think it's important) 800k Windows computers infected is something less than 8% of Windows user base. And the fact that most of those were infected are in the U.K. and France. I don't know about the U.K., but I have friends around the world and in a great many nations no one buys genuine Windows os because pirated copes are so easy and so cheap to get. And since non-genuine copies of Windows don't get updated it's almost expected that many of those machines will get infected.
      xplorer1959
      • RE: 'Ramnit' worm hijacks 45,000 Facebook logins

        @xplorer1959 <br>"Maybe I've missed those particular "promotions" by zdnet contributors to join FB,"<br><br>On the right side of the screen, below "Blogs From Our Sponsors" and above "Blog Roll" is a facebook frame with a login button and statement "You need to be logged into Facebook to see your friends' recent activity."<br><br>Right click, NoScript, and Yep, FaceBook wants to run a script.<br><br>So I would say while ZDNet isn't encouraging FB use ZDNet is at the least ... Encouraging FB use.<br><br>.
        rmhesche