Facebook users should be on alert. An old worm has learned some new tricks, and is spreading through the social network compromising accounts and possibly gaining access to financial information. Seculert claims that logon credentials from over 45,000 Facebook accounts have been stolen so far.
The Ramnit malware itself has been around for quite a while. The initial discovery dates back to April of 2010. An October 2010 post from McAfee explains that the worm is capable of infecting EXE, DLL, and HTML files, and breaks down in detail how the malware works.
Following the release of the ZeuS botnet source code, though, malware developers borrowed from the ZeuS playbook to modify Ramnit. The resulting merger is a worm that has the scope and propagation of Ramnit, combined with the financial data-stealing talents of ZeuS.
Bill Morrow, executive chairman for Quarri Technologies, explains that the original Ramnit variants were thought to be spread via compromised USB thumb drives. The new variant, however, is spreading through Facebook using stolen credentials.
Seculert speculates that the attackers may be exploiting poor security practices to compromise more than just Facebook. It says, “Cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks.”
There are basically two things you can do to prevent becoming a victim of this latest Ramnit variant. First, think twice about clicking on links from your Facebook contacts. Actually, think twice about clicking on any links or opening any file attachments from any contacts on any social networks or Web-based services. You should be especially skeptical if a contact you barely communicate with sends you an obscure link out of the blue.
The other thing you can do to minimize the potential impact of this Ramnit worm, and guard your data and financial accounts against compromise is to not use the same username and password credentials for more than one service. It is bad enough if your Facebook account is compromised, but the attackers shouldn’t also be able to hack into your bank account, Gmail account, or anywhere else using those same credentials.
The Seculert post sums up nicely: “As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands.”