New Ramnit variant steals Facebook logins

Share this article:

The ever-evolving Ramnit worm is back, and this time it has gone after Facebook users, harvesting more than 45,000 login credentials worldwide, primarily from users in the U.K. and France, according to a blog post from Seculert Research Lab, which discovered a command-and-control (C&C) server holding the pilfered data.

Researchers found that the C&C server contained an open directory called "Facebook," with a text file called "Facebook accounts," Aviv Ruff, CTO of Seculert, told SCMagazine.com on Thursday. The file contained more than 45,000 unique Facebook usernames and passwords.

"We suspect that the attackers behind Ramnit are using the stolen credentials to expand the malware's reach," Seculert said.

The threat was first discovered in April 2010. Prior variants have infected Windows executable and HTML files, and stole stored data, including usernames, passwords, login credentials and browser cookies. Previous strains also have functioned as a backdoor, enabling a cyber thief to gain control of an infected computer.

Last July, Symantec reported that Ramnit was the most-blocked malware, accounting for 17 percent of incidents.

A variant spread a month later that incorporated source code from the notorious Zeus trojan, rendering it a hybrid capable of going after financial assets. Seculert said it was able to "bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, compromise online banking sessions and penetrate several corporate networks."

Computers are infected through drive-by download attacks, which occur when users simply visit a malicious website and become infected without taking any action. Machines also can be impacted if users click on rogue email links.

In the case of Facebook, once the attackers steal a user's login and password to the social networking site, they can access the victim's account to direct others to Ramnit.

Users should never click on suspicious links, even if posted by one of their friends on Facebook, Raff said. Also they should not share passwords across online accounts.

Seculert provided Facebook with all of the stolen credentials it detected on the Ramnit C&C servers.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.