Ramnit worm heads for Facebook

Published by

Seculert Cyber Threat Management has done a lot of research on the Ramnit worm and recently spotted it targeting Facebook accounts stealing over 45,000 logins mostly from the UK and France. The worm was originally discovered in April of 2010 by Microsoft security who describes it as “Win32/Ramnit is a family of multi-component malware that infects Windows executable files, Microsoft Office files and HTML files. Win32/Ramnit spreads to removable drives, steals sensitive information such as saved FTP credentials and browser cookies. The malware may also open a backdoor to await instructions from a remote attacker.”

In August 2011 (yes, over a year later) Trusteer reported that the worm had gone financial by trying to compromise banks and other corporate networks.

The URL used is fairly simple so always be sure to go to Facebook from your bookmarks and login, never follow a link from email or sites you do not trust.

The assumption here is that the worm is being used to send out malicious links. I have spotted at least one new one today; most of you know when you see them. Suculart’s assumption is that hackers are trying to modify this worm from the old email scams to social networking. We suspect it won’t be the first by a longshot.

Seculert has provided Facebook with all of the stolen credentials that were found on the Ramnit servers.