Malware that stole 45,000 Facebook logins highlights security hole from cloud

Social-network, SaaS connections give malware pipeline through security in corporate nets

A worm designed to steal directly from both banks and consumers by covertly grabbing online bank logins has gone social, collecting the email addresses and Facebook passwords of 45,000 users so far as it has spread across Facebook.

Ramnit is a phenomenally successful family of malicious apps that was responsible for as many as 17.3 percent of all new malware infections, according to a Symantec report published in July, 2011 (PDF).

By August the virus, which had been designed to infect Windows apps and HTML files, "went financial" after source code for the Zeus bank-attack malware development kit leaked, allowing Ramnit developers to add many of Zeus' most successful exploits to the Ramnit toolbox.

The result was a malware kit that infected 800,000 new machines during the last quarter of 2011 using the new tools to "bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, compromise online banking sessions and penetrate several corporate networks," according to Seculert, which reported today it had found the command-and-control server for the Facebook variant.

Securalert reported that the URL for the Ramnit Facebook command-and-control server was easily visible, as were the 45,000 stolen Facebook logins, allowing the company to notify Facebook about compromised accounts.

The Facebook version of Ramnit represents an evolution of malware away from email and into social networks in which malware can spread quickly by sending poisoned links out to the contacts in compromised accounts – links most users presume to be safer than email attachments because they're not sent from strangers.

Infecting a Facebook, Gmail or other social-networking or cloud-based account not only makes it easier to spread a virus, it exposes far more sensitive corporate networks via links many workers maintain between social networking sites, cloud-based email or other services and their internal corporate network accounts, Seculert reported.

As cloud use grows, so do holes in corporate security

Malware designed to penetrate corporate accounts by leapfrogging from Facebook or other cloud-based networks are getting a lot of help from the robust connections many companies are building between their internal networks and software-as-a-service providers such as Salesforce, Gmail, Amazon Web Services and other cloud-based IT services.

Sixty-five percent of companies in Europe and North America have made relatively serious commitments to SaaS or cloud-based services according to a Dec. 5 survey of 3,500 businesses released Dec. 5, 2011 by Computer Sciences Corp.

The Cloud Usage Index Report showed huge variability in the goals and degree to which corporations are adopting SaaS or cloud-based computing services.

Nearly two thirds – 65 percent – have committed to cloud- or SaaS in a serious way with contracts lasting 12 months or more.

Most view cloud and SaaS services as part of an overall effort to give employees connections to critical data from a variety of mobile devices, save money on the cost of building universal-access networks or new mobile services of their own and improve the services.

Cloud services offer so much flexibility and such easy access to new services that they sneak in under the transom – bought by business managers buying from outside rather than wait for IT to approve a project, for example, according to a variety of cloud-analyst reports.

IT can't stop cloud, has to learn new sources of old threats

That rogue aspect – and the virtual guarantee that specialists providing SaaS from outside rather than supporting all corporate applications from inside – virtually guarantee end users will perceive cloud services as better than internal IT and will continue to buy them even over opposition from IT, according to Bernard Golden, a columnist and CEO of cloud-consulting company HyperStratus.

Hackers using Ramnit, Zeus and other modified malware take advantage of connections to cloud-based services.

They also take advantage of the tension between users who want their Facebook, Gmail and Salesforce and IT departments trying to make sure those connections don't give malware or intruders safe passage through firewalls, antivirus, intrusion prevention and other security systems.

Stopping the Facebook variant of Ramnit is easy enough if you shut off all access to Facebook from inside a corporate firewall.

Private VPNs, proxies and other simple banned-site-bypass techniques are simple enough and well enough known to make any ban ineffective, however.

The increasing reliance of users on SaaS and cloud-based resources also makes it impractical to simply cut off the cloud at the first sign it might be carrying something noxious.

So if you're looking for a major new malware threat for 2012, you've found it. Cloud computing and social networks have become so widely used that corporate users rebel when prevented from using them.

They'll continue to fight for that access, even if they realize malware writers make far better use of social-network connections than end users do.

That's a problem for IT, they figure. And they're right. It's a problem users aren't going to solve, social-network and cloud-services vendors won't solve to the specifications of individual user companies. And it's a problem that can't be left unsolved. So IT is the only one left to do it.

One more problem, which is actually a benefit to help keep underworked, overstaffed IT security departments busy. Because there weren't enough security risks available before to keep them from getting bored.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon