Ramnit worm steals 45,000 Facebook logins

Posted by Emma Woollacott

Fraudsters appear to have reengineered a worm first discovered two years ago to steal the names and logins of over 45,000 Facebook users.

The Ramnit worm infects Windows executables, Microsoft Office and HTML files. And, according to security outfit Securlet, as well as stealing log-in data, it acts as a back door to allow hackers to gain access to the infected computers.

Seculert says it's gained access to the command-and-control servers used, and has established that tens of thousands of users, mostly in the UK and France, appear to have had their log-in credentials stolen.

"We suspect that the attackers behind Ramnit are using the stolen credentials to log-in to victims' Facebook accounts and to transmit malicious links to their friends, thereby magnifying the malware's spread even further," says the company in a bulletin.

"In addition, cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks."

Ramnit was first identified nearly two years ago. By this July, according to Symantec, it accounted for nearly one in six new malicious software infections.

In August, the hackers appear to have merged the worm with elements of the ZeuS trojan to bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, compromise online banking sessions and penetrate several corporate networks.

Since then, says Securlert, it's infected around 800,000 machines.

Seculert says it's provided Facebook with all of the stolen credentials that it found on the Ramnit servers.