Wednesday

Ramnit Worm Compromises 45000 Facebook Accounts

Ramnit worm takes the cyberstage as recent reports claim that it has compromised 45,000 Facebook accounts.

Microsoft published an entry about Ramnit worm last May 10, 2011. According to Microsoft Malware Protection System (MMPS) Threat Research and Response, "Win32/Ramnit is a family of multi-component malware that infects Windows executable files, Microsoft Office files and HTML files. Win32/Ramnit spreads to removable drives, steals sensitive information such as saved FTP credentials and browser cookies. The malware may also open a backdoor to await instructions from a remote attacker."

It originally targeted financial accounts, and just a few days ago, reports came out that 45K Facebook accounts were compromised. Seculert, which has been tracking the worm, reported that Ramnit has mostly been focusing on users in the United Kingdom and France, but has been attacking accounts all over the world. Seculert believes the motive behind the stolen credentials may have magnified the malware’s spread by sending links to the friends of compromised accounts.

Trusteer, a provider of secure web access services, reported in August 2011 that Ramnit gained the ability to “bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, compromise online banking sessions and penetrate several corporate networks.”

Suculert's lab who discovered Ramnit's recent targeting of Facebook accounts with considerable success, stealing over 45,000 Facebook login credentials worldwide, suspected that the attackers behind Ramnit are using the stolen credentials to log-in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further. In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks.

Numerous external links are shared on Facebook daily and it is said to be one of the causes of the widespread attack. Porn and gross images attract attention and sharing links to friends that lead to infected external websites can compromise the Facebook account.

For some internet users who are interested to read about the coding or configuration, McAfee has detailed report about Ramnit. Otherwise, if you are just a normal web user, just be sure to use different passwords for different online accounts such as social networking sites (Facebook, Twitter, etc), emails, payment gateways (Paypal, Alertpay, Moneybookers). If a link is suspicious, do not click on it. Be wary with attachments even from friends. Your friend's account might already be compromised. Some infections such as the Ramnit worm are sometimes undetectable by antivirus software.

Other details about Ramnit can be found at MMPS.

Share |
Add to Technorati Favorites

No comments: