In his blog on the evolution of malware, Roger Thompson of ICSA Labs noted that we are now entering the privacy revolution. “Facebook has more than 800 million users,” he wrote, “and by its own count, more than 1 million developers building apps for them. No one really knows who the developers are, or what their motivations are, but intuitively, I am confident that not all of them have sweetness and light in their hearts....”
A large pool with an inherent level of trust among its users is a temptation too far. The malware developers behind Ramnit are now using Facebook to help spread their malware. “It starts by using already-stolen credentials and using these to ‘seed’ the infection,” explained Kaspersky’s David Emm. “It then spreads via messages sent from the stolen accounts – by tricking people into clicking on links in the messages.” The links go to malicious sites from which Ramnit is downloaded to infect the visiting PCs. Seculert, which has been closely monitoring Ramnit, believes that 45,000 users (69% in the UK, and 27% in France) have already been infected in this manner.
Seculert also believes that “cybercriminals are taking advantage of the fact that users tend to use the same password in various web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks.”
Last summer Trusteer announced that the original Ramnit had evolved into financial malware. Following, and possibly because of the publication of Zeus source code, this new version is able to by-pass two-factor authentication and compromise online banking transactions. By the end of the year Seculert had discovered that around 800,000 machines had been infected with Ramnit. The version targeting Facebook users, however, “seems to be completely separate variant,” commented Seculert’s CTO Aviv Raff. “They have different C&C servers and they use different Domain Generation Algorithm seeds.”