The Ramnit worm, which has morphed into dangerous financial malware, is also stealing
credentials from Facebook users, according to new research published Thursday.
Ramnit has already infected over 800,000 infected machines worldwide, and it has
only begun to steal Facebook login credentials so, I guess it’s only a matter of time until the
number of will grow.Aviv Raff, founder and CTO, Seculert
Researchers at Israeli security firm Seculert have discovered a cache of Facebook login
credentials stolen by cybercriminals in control of Ramnit. The accounts were mainly from Facebook
users in the UK and France.
The company said a new Ramnit
variant was behind the Facebook credential pilfering. Aviv Raff, founder and CTO of Seculert
said Ramnit is a serious threat to enterprises because attackers could use the account credentials
to try to access corporate networks since it is common for end users to use the same credentials
for multiple accounts.
“Ramnit has already infected over 800,000 infected machines worldwide, and it has only
begun to steal Facebook login credentials so, I guess it’s only a matter of time until the number
of will grow,” Raff said in an email message.
Raff said his research team suspects Ramnit is being controlled by a specific group of
cybercrimianls since the malware is not being sold in underground forums. Members of the group
likely specialize in different geographical regions, sending different variants of the Ramnit
malware, he said.
In addition, the cybercriminals controlling Ramnit can quickly spread it by using the stolen
credentials.
“We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to
victims’ Facebook accounts and to transmit malicious links to their friends, thereby magnifying the
malware’s spread even further,” the company said in its analysis.
Ramnit at one time was deemed a low-level concern by most security experts. It initially used an
older
generation of malicious techniques to infect Microsoft Windows executable files Ramnit
morphed last summer into a more powerful piece of malware when its owners used freely available
Zeus source code to make it more effective. The malware commonly steals saved FTP credentials and
browser cookies.
In August 2011, Boston-based security vendor Trusteer issued research into
Ramnit, indicating that new variants using the Zeus code support man-in-the-browser attacks,
enabling cybercriminals to bypass two-factor authentication, modify Web pages and covertly insert
banking transactions.
“Ramnit’s authors followed the standard approach of malicious financial activities, supporting
all basic features required for well-bred financial malware,” Trusteer said.
Article source: http://searchsecurity.techtarget.com/news/2240113374/Ramnit-financial-malware-rips-Facebook-credentials
View full post on National Cyber Security » Virus/Malware/Worms
