Ramnit not actually a Facebook worm

Last week, information surfaced about a new version of Ramnit, which had stolen some Facebook credentials. Most people understood that to mean that there was a new Facebook worm in town. If this were true, it would be pretty big news as genuine Facebook worms are rare.

It’s easy to see how people would have come to that understanding, as Ramnit had 45,000 Facebook credentials in its tender care, plus several write-ups from researchers on the initial version of the worm show that it infected EXEs and HTML files. Put those two together, and it looks like a plausible conclusion.

I’m perfectly happy for someone to prove me wrong, but in my lab tests, the worm spectacularly failed to do anything with Facebook, other than (probably) steal my login credentials. I say “probably,” because I did see Ramnit transmit information over an SSL connection every time I logged in. SSL, being encrypted, meant that I couldn’t see exactly what Ramnit was sending. It also failed to infect any of my juicy HTM and HTML goat files (AKA virus bait).

45,000 victims initially sound like a large number, but when you consider that Facebook has 800 million users, it stands to reason that the attack cannot be automated, or the numbers would be much higher.

The real reason for bothering to try to steal Facebook credentials probably has more to do with people using the same user ID and password for Facebook and online banking, something that’s regrettably common.

To be clear, Ramnit is a worm, just not a Facebook worm. However, this doesn’t mean that Ramnit can be taken lightly or the threat ignored.

What the worm did was to infect every EXE and every DLL on my goat system on the very first run. This is what’s known as a fast infector, and what this means is that if you do get it, it’s going to be a real pain to remove.

So what should you do about it?

1. The first thing is to remember that password re-use is your enemy. Use a unique password for every site that you log into. Write them down and keep them in your wallet or purse. If you lose that, you know you have to cancel all your credit cards and change your passwords, but at least you know your information has been stolen.

2. The second thing to do is to always use an ICSA Labs’ certified anti-virus product, and keep it up to date.

3. You should consider organizing some form of automatic backup. In my house, the important computers are automatically backed up every hour. If you don’t have a local form of backup, there are plenty of cloud-based options. You might still get a virus, but if worst comes to worst, you can nuke your system, and restore from your backup.

4. Think before you link. If a deal sounds too good to be true, or a video sounds too amazing to be true, guess what? It’s probably not true, and might well be a trap.

Roger Thompson, chief emerging threats researcher at ICSA Labs.