Warning: New Round of VERY SERIOUS Facebook / bank account hacks
Gallagher, Uptime (Ars Technica)
January 11, 2012
variant of Ramnit, the Windows malware responsible for the recent theft
least 45,000 Facebook logins, is the latest example of how malware
cyber-criminals take “off-the-shelf” hacks and bolt them together to
viruses new tricks. Facebook passwords aren’t the only thing that the
virus can grab—thanks to the integration of some of the code from the
botnet trojan, Ramnit can now be customized with modules for all
an interesting beast,” said Amit Klein, CTO of web security services
Trusteer in an interview with Ars. “Until last summer, it was just a
worm spreading around by infecting files. Then they retrofitted it with
financial fraud capabilities.”
version of Ramnit is a potent threat to enterprises, he said, because
capture any data in a web session—and as more companies move to
software as a service for enterprise applications, that could include
sighted by researchers in 2010 in its initial form, Ramnit spreads by
itself to Windows executable files (.EXE. .SCR and .DLL files) as well
HTML documents. In some variants spotted earlier this year by Microsoft
researchers, it also attached itself to Microsoft Office documents.
have also been spotted that install themselves onto USB drives when
connected, and create an Autorun script that launches the virus’
the drive is plugged into another PC.
infections exploded in the summer of 2011. According to a report from
Ramnit accounted for over 17 percent of the malware blocked by the
antivirus software in July. Researchers at the security firm Seculert
through the installation of a “sinkhole” that between September and
2011, over 800,000 individual Windows PCs were infected with the virus
reporting back to a command and control network.
arrives on a victim’s PC, the virus runs an installer that unpacks
payload on the system, changing Windows’ registry file to automatically
the malware at startup. Ramnit uses a hidden browser instance to create
communications link, establishing a connection to a hacker’s command
control network. It can then load modules that injectjava_script and
web browser sessions on the infected machine—a capability borrowed from
Zeus botnet, Klein told us.
found traces of the Zeus code” in Ramnit, he said, and those were
to Zeus’ ability to sniff for connections to banking systems and load
“webinject” modules to steal account data. That capability also allows
to defeat security measures such as two-factor authentication and
certificate-signed transactions, giving them the ability to hijack
banking sessions and ride on the backs of users through corporate
web mail and other systems.
Facebook attack is most likely part of an effort by hackers to simply
distribute Ramnit more widely, using the accounts to spread links that
additional computers with the virus or other malware. So it seems
we’ve heard the last of Ramnit.
and other articles at M@il Magazine 24