The Ramnit worm, which has morphed into dangerous financial malware, is also stealing credentials from Facebook users, according to new research published Thursday.
Ramnit has already infected over 800,000 infected machines worldwide, and it has only begun to steal Facebook login credentials so, I guess it's only a matter of time until the number of will grow.
Aviv Raff, founder and CTO, Seculert
Researchers at Israeli security firm Seculert have discovered a cache of Facebook login credentials stolen by cybercriminals in control of Ramnit. The accounts were mainly from Facebook users in the UK and France.
The company said a new Ramnit variant was behind the Facebook credential pilfering. Aviv Raff, founder and CTO of Seculert said Ramnit is a serious threat to enterprises because attackers could use the account credentials to try to access corporate networks since it is common for end users to use the same credentials for multiple accounts.
“Ramnit has already infected over 800,000 infected machines worldwide, and it has only begun to steal Facebook login credentials so, I guess it's only a matter of time until the number of will grow,” Raff said in an email message.
Raff said his research team suspects Ramnit is being controlled by a specific group of cybercrimianls since the malware is not being sold in underground forums. Members of the group likely specialize in different geographical regions, sending different variants of the Ramnit malware, he said.
In addition, the cybercriminals controlling Ramnit can quickly spread it by using the stolen credentials.
“We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further,” the company said in its analysis.
Ramnit at one time was deemed a low-level concern by most security experts. It initially used an older generation of malicious techniques to infect Microsoft Windows executable files Ramnit morphed last summer into a more powerful piece of malware when its owners used freely available Zeus source code to make it more effective. The malware commonly steals saved FTP credentials and browser cookies.
In August 2011, Boston-based security vendor Trusteer issued research into Ramnit, indicating that new variants using the Zeus code support man-in-the-browser attacks, enabling cybercriminals to bypass two-factor authentication, modify Web pages and covertly insert banking transactions.
“Ramnit’s authors followed the standard approach of malicious financial activities, supporting all basic features required for well-bred financial malware,” Trusteer said.