M@il
Magazine 24...
ALERT
&
Warning: New Round of VERY SERIOUS Facebook / bank account hacks
by Sean
Gallagher, Uptime (Ars Technica) January 11, 2012
The latest
variant of Ramnit, the Windows malware responsible for the recent theft
of at
least 45,000 Facebook logins, is the latest example of how malware
writers and
cyber-criminals take “off-the-shelf” hacks and bolt them together to
teach old
viruses new tricks. Facebook passwords aren’t the only thing that the
Ramnit
virus can grab—thanks to the integration of some of the code from the
Zeus
botnet trojan, Ramnit can now be customized with modules for all
manners of
remote-controlled mayhem.
“Ramnit is
an interesting beast,” said Amit Klein, CTO of web security services
firm
Trusteer in an interview with Ars. “Until last summer, it was just a
generic
worm spreading around by infecting files. Then they retrofitted it with
financial fraud capabilities.”
The evolved
version of Ramnit is a potent threat to enterprises, he said, because
it can
capture any data in a web session—and as more companies move to
web-based
software as a service for enterprise applications, that could include
almost
anything.
First
sighted by researchers in 2010 in its initial form, Ramnit spreads by
attaching
itself to Windows executable files (.EXE. .SCR and .DLL files) as well
as to
HTML documents. In some variants spotted earlier this year by Microsoft
researchers, it also attached itself to Microsoft Office documents.
Versions
have also been spotted that install themselves onto USB drives when
they’re
connected, and create an Autorun script that launches the virus’
installer when
the drive is plugged into another PC.
Ramnit
infections exploded in the summer of 2011. According to a report from
Symantec,
Ramnit accounted for over 17 percent of the malware blocked by the
company’s
antivirus software in July. Researchers at the security firm Seculert
found
through the installation of a “sinkhole” that between September and
December of
2011, over 800,000 individual Windows PCs were infected with the virus
and
reporting back to a command and control network.
However it
arrives on a victim’s PC, the virus runs an installer that unpacks
Ramnit’s
payload on the system, changing Windows’ registry file to automatically
launch
the malware at startup. Ramnit uses a hidden browser instance to create
a
communications link, establishing a connection to a hacker’s command
and
control network. It can then load modules that injectjava_script and
HTML into
web browser sessions on the infected machine—a capability borrowed from
the
Zeus botnet, Klein told us.
“We’ve
found traces of the Zeus code” in Ramnit, he said, and those were
specifically related
to Zeus’ ability to sniff for connections to banking systems and load
“webinject” modules to steal account data. That capability also allows
hackers
to defeat security measures such as two-factor authentication and
certificate-signed transactions, giving them the ability to hijack
online
banking sessions and ride on the backs of users through corporate
security to
web mail and other systems.
The
Facebook attack is most likely part of an effort by hackers to simply
distribute Ramnit more widely, using the accounts to spread links that
infect
additional computers with the virus or other malware. So it seems
unlikely that
we’ve heard the last of Ramnit.
Read this
and other articles at M@il Magazine 24
|