Facebook: most hijacked logins by Ramnit were invalid

Menlo Park has provided further details in regards to a nasty piece of malware that stole Facebook usernames and passwords, mostly from users in France and the U.K.
Written by Emil Protalinski, Contributor

Ramnit, a worm first discovered almost two years ago, was recently reengineered to steal Facebook login credentials. The nasty worm had successfully pilfered more than 45,000 Facebook usernames and passwords worldwide, but mostly from users in France and the U.K.

I contacted Facebook for further details, and it turns out that the 45,000 number comes with a little asterisk. Furthermore, the social networking giant made a point to underline the fact that the virus is not actually spreading on Facebook, but across computers of users who access the service via their desktop browser.

"Last week we received from external security researchers a set of user credentials that had been harvested by a piece of malware," a Facebook spokesperson said in a statement. "Our security experts have reviewed the data, and while the majority of the information was out-of-date, we have initiated remedial steps for all affected users to ensure the security of their accounts. Thus far, we have not seen the virus propagating on Facebook itself, but have begun working with our external partners to add protections to our anti-virus systems to help users secure their devices. People can protect themselves by never clicking on strange links and reporting any suspicious activity they encounter on Facebook."

I was particularly interested in the "while the majority of the information was out-of-date" bit. I asked for clarification: was the number of valid login credentials actually much lower? "Yes, over half of these logins were either invalid or had old/expired passwords," a Facebook spokesperson said in a statement.

In other words, many Facebook users had correctly reacted and decided to change their password. Furthermore, many of the logins that were compromised were fake or throwaway accounts in the first place. Still, that leaves a good 20,000 users affected (I asked the spokesperson but he was unsure if the exact number could be declassified or not).

Either way, Facebook acted quickly to stop those behind the worm from using the accounts. "We were able to review and checkpoint all compromised credentials in under 24 hours after receiving the list," a Facebook spokesperson said in a statement.

If you're wondering about Ranmit itself, here's how Microsoft described the piece of malware when it first discovered it in April 2010:

Win32/Ramnit is a family of multi-component malware that infects Windows executable files, Microsoft Office files and HTML files. Win32/Ramnit spreads to removable drives, steals sensitive information such as saved FTP credentials and browser cookies. The malware may also open a backdoor to await instructions from a remote attacker.

Over a year later, Symantec followed up with an update. The security giant released a 21-page report titled " Symantec Intelligence Report: July 2011" (PDF) and had the following note about the worm:

The most frequently blocked malware for the last month was W32.Ramnit!html. This is a generic detection for .HTML files infected by W32.Ramnit, a worm that spreads through removable drives and by infecting executable files. The worm spreads by encrypting and then appending itself to files with .DLL, .EXE and .HTM extensions. Variants of the Ramnit worm accounted for 17.3 percent of all malicious software blocked by endpoint protection technology in July.

In August 2011, Trusteer reported that Ramnit had been modified to perform malicious financial activities:

Although Ramnit employs old generation malicious techniques, we kept it on our malware radar, and a few weeks ago we started seeing something interesting. Apparently, Ramnit morphed into a financial malware, or at least was used as a platform to commit financial fraud (we’re still investigating its modular architecture). Once installed Ramnit will continuously communicate with the Command and Control (C&C) server, reporting on its status and receiving configuration updates; inbound and outbound communication is over SSL (https).

Finally, here we are in January 2012, with Seculert giving us the details of "a completely new 'financial' Ramnit variant aimed at stealing Facebook login credentials:"

We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further. In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks.

Seculert discovered that 800,000 machines were infected with Ramnit between September 2011 and December 2011. If you ask me, the fact that less than half of 45,000 Facebook useful logins were stolen, means Menlo Park got off easy. On the other hand, this is not the first time and it's definitely not the last time a worm is designed to specifically target Facebook users.

See also:

Editorial standards