Ramnit worm steals 45K Facebook logins

Compromised accounts are mostly in the UK and France
Adam Smith
Adam Smith -


Facebook, which is swiftly becoming a haven for malware due to its high level of popularity, has been hit by a major worm attack.

First discovered in April 2010, Ramnit began life snaffling stored FTP credentials and browser cookies, according to Seculert, but has now made the move onto the social network.

Although before it made the jump to Facebook, the authors apparently endowed the worm with several financial fraud spreading capabilities to produce a “hybrid creature” of Ramnit and ZeuS source code.

Seculert reckons that around 800,000 machines have been infected by Ramnit between September and the end of 2011.

The latest Facebook targeting mutation apparently left the command and control URL visible and accessible, allowing Seculert to discover that around 45,000 logins have been stolen, mostly from the UK and France.

How do you know if you’ve been affected? At the moment, you don’t, although the security firm has passed the details of the compromised accounts on to Facebook, so we’d imagine they’ll be contacting individuals hit by the worm in due course.

Meanwhile it would seem the Ramnit authors are using the compromised accounts to spread links to websites loaded with the worm across friends lists. So one sign of being affected would be messages or links you haven’t posted, obviously…

Seculert wrote on its blog page: “With the recent ZeuS Facebook worm and this latest Ramnit variant, it appears that sophisticated hackers are now experimenting with replacing the old-school email worms with more up-to-date social network worms.”

“As demonstrated by the 45,000 compromised Facebook subscribers, the viral power of social networks can be manipulated to cause considerable damage to individuals and institutions when it is in the wrong hands.”

As ever, be careful what you click on in Facebook, even if the link is provided by a friend.

Post a comment

Your email address will not be published. Required fields are marked *


Visited 3143 times, 7 so far today