The Ramnit worm, which was first detected more than 18 months ago, has continued to evolve and now has spawned a version that is targeting victims’ Facebook credentials, and with great success. Researchers at Seculert in Israel have found a variant of Ramnit that is stealing those credentials and then trying to compromise other accounts belonging to the victims, including VPNs, email and other sensitive accounts.
Ramnit has been causing trouble since the first half of 2010, going after online banking and FTP credentials, among other sensitive data, and racking up pretty large infection numbers in the process. Seculert estimates that the previous, financial-targeted variants of Ramnit had infected more than 800,000 machines in the last five months of 2011. It’s often seen infecting HTML files and Windows executables, but now the attackers behind the worm seem to have moved on to a new tactic.
“Recently, our research lab identified a completely new ‘financial’ Ramnit variant aimed at stealing Facebook login credentials. Since the Ramnit Facebook C&C URL is visible and accessible it was fairly straightforward to detect that over 45,000 Facebook login credentials have been stolen worldwide, mostly from users in the United Kingdom and France,” Seculert said in a blog post analyzing the new variant of Ramnit.
Seculert CTO Aviv Raff said via email that this doesn’t seem to be simply a new tactic from an older variant of Ramnit.
“It seems to be completely separate variant. They have different C&C servers and they use different Domain Generation Algorithm seeds,” Raff said.
Stealing the Facebook credentials is just one step in the process, though. Once those credentials are secured, it seems that the attackers then try to see whether the victims have reused their Facebook passwords on other sites. It’s a common practice, and users often find that if one of their accounts is somehow compromised, others soon fall as well, as the attackers find more accounts secured with the same password. Seculert said that the crew behind the new variant of Ramnit is following this pattern and trying the stolen Facebook credentials on corporate email and VPN systems and other accounts held by the victims.
” We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims’ Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware’s spread even further. In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks,” Seculert said.
Ramnit is one of a handful of hybrid worms and toolkits that attackers are using to target specific sets of high-value credentials and then either using them immediately or packaging and reselling them. Zeus is perhaps the most famous example of this, and there has been some intermingling of the Ramnit and Zeus code in recent months. The hybrid version was able to use the large infected base of machines Ramnit had and emply the capability that Zeus has to harvest financial credentials and compromise a host of banks and coporate networks.