Ramnit not actually a Facebook worm
Posted on 12.01.2012
Last week, information surfaced about a new version of Ramnit, which had stolen some Facebook credentials. Most people understood that to mean that there was a new Facebook worm in town. If this were true, it would be pretty big news as genuine Facebook worms are rare.

It's easy to see how people would have come to that understanding, as Ramnit had 45,000 Facebook credentials in its tender care, plus several write-ups from researchers on the initial version of the worm show that it infected EXEs and HTML files. Put those two together, and it looks like a plausible conclusion.

Iím perfectly happy for someone to prove me wrong, but in my lab tests, the worm spectacularly failed to do anything with Facebook, other than (probably) steal my login credentials. I say ďprobably,Ē because I did see Ramnit transmit information over an SSL connection every time I logged in. SSL, being encrypted, meant that I couldn't see exactly what Ramnit was sending. It also failed to infect any of my juicy HTM and HTML goat files (AKA virus bait).

45,000 victims initially sound like a large number, but when you consider that Facebook has 800 million users, it stands to reason that the attack cannot be automated, or the numbers would be much higher.

The real reason for bothering to try to steal Facebook credentials probably has more to do with people using the same user ID and password for Facebook and online banking, something thatís regrettably common.

To be clear, Ramnit is a worm, just not a Facebook worm. However, this doesnít mean that Ramnit can be taken lightly or the threat ignored.

What the worm did was to infect every EXE and every DLL on my goat system on the very first run. This is whatís known as a fast infector, and what this means is that if you do get it, itís going to be a real pain to remove.

So what should you do about it?

1. The first thing is to remember that password re-use is your enemy. Use a unique password for every site that you log into. Write them down and keep them in your wallet or purse. If you lose that, you know you have to cancel all your credit cards and change your passwords, but at least you know your information has been stolen.

2. The second thing to do is to always use an ICSA Labsí certified anti-virus product, and keep it up to date.

3. You should consider organizing some form of automatic backup. In my house, the important computers are automatically backed up every hour. If you donít have a local form of backup, there are plenty of cloud-based options. You might still get a virus, but if worst comes to worst, you can nuke your system, and restore from your backup.

4. Think before you link. If a deal sounds too good to be true, or a video sounds too amazing to be true, guess what? Itís probably not true, and might well be a trap.

Roger Thompson, chief emerging threats researcher at ICSA Labs.


Critical bug found in Cisco ASA products, attackers are scanning for affected devices

Several Cisco ASA products - appliances, firewalls, switches, routers, and security modules - have been found sporting a flaw that can ultimately lead to remote code execution by attackers.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Feb 12th