January 05, 2012, 11:41 AM — A worm designed to steal directly from both banks and consumers by covertly grabbing online bank logins has gone social, collecting the email addresses and Facebook passwords of 45,000 users so far as it has spread across Facebook.
Ramnit is a phenomenally successful family of malicious apps that was responsible for as many as 17.3 percent of all new malware infections, according to a Symantec report published in July, 2011 (PDF).
By August the virus, which had been designed to infect Windows apps and HTML files, "went financial" after source code for the Zeus bank-attack malware development kit leaked, allowing Ramnit developers to add many of Zeus' most successful exploits to the Ramnit toolbox.
The result was a malware kit that infected 800,000 new machines during the last quarter of 2011 using the new tools to "bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, compromise online banking sessions and penetrate several corporate networks," according to Seculert, which reported today it had found the command-and-control server for the Facebook variant.
Securalert reported that the URL for the Ramnit Facebook command-and-control server was easily visible, as were the 45,000 stolen Facebook logins, allowing the company to notify Facebook about compromised accounts.
The Facebook version of Ramnit represents an evolution of malware away from email and into social networks in which malware can spread quickly by sending poisoned links out to the contacts in compromised accounts – links most users presume to be safer than email attachments because they're not sent from strangers.