Facebook locks down 45,000 accounts to stop 'worm' spreading

Discussion in 'Anti-Virus' started by Virus Guy, Jan 7, 2012.

  1. Virus Guy

    Virus Guy Guest

    http://www.telegraph.co.uk/technology/facebook/8997618/Facebook-locks-down-45000-accounts-to-stop-worm-spreading.html

    Facebook locks down 45,000 accounts to stop 'worm' spreading

    Facebook has acted to stop the spread of a new variety of malicious
    software that has stolen login details from 45,000 mostly British and
    French users.

    1:43PM GMT 06 Jan 2012

    The Ramnit worm has been spreading since April 2010, but was only
    recently adapted to target Facebook details, according to computer
    security experts. It was previously used by cyber criminals to steal
    login credentials for other services, including online banking.

    A “worm” is distinct from a normal computer virus in that it can
    reproduce itself without needing to attach itself to an existing
    program. This ability means worms can spread very rapidly online.

    The new threat to Facebook users was highlighted this week by Seculert,
    an Israeli computer security firm. It said most of the users affected so
    far are British or French.

    “Our research lab identified a completely new 'financial' Ramnit variant
    aimed at stealing Facebook login credentials,” the firm said in a blog
    post.

    “It was fairly straightforward to detect that over 45,000 Facebook login
    credentials have been stolen worldwide, mostly from users in the United
    Kingdom and France.”

    According to Seculer, whoever is behind the new Ramnit variant is using
    it the stolen login details to access victims’ Facebook accounts and
    send malicious links to their friends.

    “We suspect that the attackers behind Ramnit are using the stolen
    credentials to log-in to victims' Facebook accounts and to transmit
    malicious links to their friends, thereby magnifying the malware's
    spread even further,” the firm said.

    The personal information stolen from compromised Facebook accounts is
    potentially valuable to cyber criminals and is sometimes traded on
    online black markets.

    Facebook said that it had learned of the new attack on its users last
    week and has already taken action to defend them.

    It said it had studied the 45,000 stolen login details and concluded
    that most of it was out of date. However all affected users will be
    forced to reset their password to improve security.

    “Last week we received from external security researchers a set of user
    credentials that had been harvested by a piece of malware,” a spokesman
    said.

    “Our security experts have reviewed the data, and while the majority of
    the information was out-of-date, we have initiated remedial steps for
    all affected users to ensure the security of their accounts.

    “Thus far, we have not seen the virus propagating on Facebook itself,
    but have begun working with our external partners to add protections to
    our anti-virus systems to help users secure their devices.”

    It said users should never click on strange links and should report any
    suspicious activity.
     
    Virus Guy, Jan 7, 2012
    #1
    1. Advertisements

  2. Nice that they mentioned this, but it is a distinction you'll likely
    like even less than the virus/malware dichotomy. To me, it is a somewhat
    less important distinction and remains 'fuzzy'.

    [...]
     
    FromTheRafters, Jan 7, 2012
    #2
    1. Advertisements

  3. Virus Guy

    Dustin Guest

    Not to me. Here's why...

    We'll just deal with file infectors for the sake of making this less
    complicated. A virus requires a host..It will seek out an exe that
    doesn't already have it's presence and install it. (Infecting said exe
    file). this file has been modified to carry virus code. Executing it
    later will cause the virus code and maybe the original host to still run
    and further spread the virus. Simply deleting an infected executable
    will not remove the virus; as many other executables are likely
    containing it now. They have to be identified and disinfected (if
    possible) if you wish to make use of them again. You may or may not be
    able to restore them to the original byte(s) depending on the virus
    which infected them and the manner in which it used. A trojan OTH can
    be removed by deleting it's exe once you locate it.

    A worm OTH, is really it's own program all self contained that
    replicates by copying a complete copy of itself. For example, it
    requires no host; it can readily create an exe called worm2.exe and drop
    it's image right into it. When worm2.exe is later run by an unsuspecting
    user on another computer, it drops worm3.exe; they're both identical for
    this discussion (polymorphic worms do exist tho)... and worm3 goes and
    does the same thing.

    A worm can be removed in a similiar fashion as a trojan once you
    identify them all; you just delete them. Their is no host to restore as
    they didn't infect anything.

    These are important distinctions if it's your intention to properly
    identify the problem and repair the system with minimal (preferrably
    none) data loss in the process.
     
    Dustin, Jan 7, 2012
    #3
  4. Virus Guy

    Dustin Guest

    Minor followup:

    There are worm/virus combos. They drop an exe of themselves in a worm
    fashion. This is a new exe, so you can just delete it like you would a
    trojan. You will have to identify the viral code in other pre-existing
    executables and disinfect if possible to remove the virus portion.
    Failure to complete both steps will likely result in a reinfection of
    virus and worm.

    For simple examples, See Toadie and Irok viruses. They're old, all well
    known, and do exactly as I've described and are removed in the processes
    I've already outlined above. These are textbook real world examples
    which correctly fit the well established definitions above.
     
    Dustin, Jan 7, 2012
    #4
  5. Understood, and I agree.
    "Requires" no host in order to spread, agreed. Of course that doesn't
    mean it can't virally infect a program file or files for purposes other
    than the spreading. It can, for instance, infect as a method aimed at
    persistence.

    Such a program doesn't *need* to use a host executable to *spread* and
    so is a worm by the definition provided in that article (and that idea
    is echoed in many other places).

    In that scenario, you still need to look for virally infected programs
    even though you are dealing with what is called a worm (blended threat
    actually).
    I disagree. According to all of the definitions I have found worms are
    not precluded from also being viruses. It is often stated as 'a worm
    does not *need* to infect in order to propagate'. I have not seen a
    definition that states that a worm *must not* infect a program with a
    copy of itself. It is still a worm even if it is also a virus.

    I also understand that the "worms" we are talking about are not the true
    worms of the computer science realm but are the modern wormlike programs
    often requiring the user clicking on something he or she shouldn't have.
    Absolutely! My point was that there are other distinctions besides the
    dichotomy between the non-replicating "trojan" and the replicating
    "virus" and "worm". VG may eventually understand why it is important to
    distinguish the differing types of malware, especially as you pointed
    out where removal of the malware or the avoidance of the malware is the
    issue. Different measures need to be taken for different malware types.
     
    FromTheRafters, Jan 8, 2012
    #5
  6. I responded before reading your followup post, this aspect is what I was
    getting at. It will still be called a worm despite the fact that it also
    is a virus because it doesn't *need* to infect pre-existing programs in
    order to survive and replicate.

    That is why it seems a little fuzzy to me.
     
    FromTheRafters, Jan 8, 2012
    #6
  7. Virus Guy

    Dustin Guest

    That's because these samples specifically perform two seperate functions
    in an effort to survive. They seek out other executables and infect
    them. (1-virus) They also drop an image of themselves which is as I
    said, a completely new executable that wasn't previously on your
    machine. (2-worm).

    The new worm executable can be deleted and it's done for; providing you
    seek out the viral code and deal with it too. The virus module has
    already replicated the entire program to your legit .exe files. You must
    now deal with that aspect or the worm can come right back. As can the
    virus re-infect previously cleaned files. Again tho, it's two seperate
    processes or subroutines (hell, think of them as two programs in one exe
    if you'd like) both intent on survival; working together to accomplish
    it. Attacking the host OS from multiple points. Get the exes, drop a
    fresh exe to spread my complete self to other computers via social
    engineering and their email/irc clients (in these cases).

    You could disable it's ability to seek out and infect exes and it would
    simply become a worm. You can likewise disable it's worm functions and
    it becomes a virus only.

    What's going on tho is really two seperate and distinct methods of
    retaining your presence. It's just being combined into the same
    executable.
    you have to think of it as multiple technologies being applied in a
    combined effort to survive as a whole. They are viruses AND worms. They
    have specific routines for the specific replications. One relies on
    actually infecting previously existing files, one creates a new file and
    drops the image complete with working exe header to begin anew.
     
    Dustin, Jan 8, 2012
    #7
  8. Agreed, and in that case the ideas of worm and virus are kept separate,
    I like that. I used to think of it as a virus with a worm as a payload
    *and* a worm with a virus as a payload. Each sort of carries the other
    along in each its own spreading vector.

    If that were the idea, it would be best to say that worms don't infect
    other programs with copies of themselves instead of worms don't *need*
    to do so. Because that word *need* is in there, it makes it look like
    the worms are a subset of the replicating malware set which includes the
    viruses - specifically they are ones that have an *additional* or
    alternate method for spreading.

    I'm not disagreeing with your viewpoint, I am only trying to explain why
    the current definitions all seem to make a fuzzy picture - one could
    just as easily say that a virus is a kind of worm that doesn't *need* to
    create a file - and one could be just as wrong in so doing. Viruses *do*
    infect programs with copies of themselves, and worms *don't* - it's much
    simpler that way.
     
    FromTheRafters, Jan 8, 2012
    #8
  9. Virus Guy

    Dustin Guest

    The payload has always been what the virus does besides the intentional
    act of replication. Not all viruses have payloads. Ie: A payload could
    be something as simple as a message coming across the screen, or your
    mp3 files being messed with. The payload in a virus sense is like an
    aircraft carrying a payload of bombs to drop. :)

    OTW, the payload is the diddy.. the package. The virus is a delivery
    system.
    Viruses need a host, worms don't; they literally create themselves a
    functional copy. :). Both are simply replication systems. One relies on
    pre existing files, one doesn't.
    Some of the definitions are very muddy and thus cause this confusion. I
    hope I've helped to remove a little of it. :)
     
    Dustin, Jan 8, 2012
    #9
  10. What you have done is confirmed that we see things the same way despite
    what the modern definitions say about it. This 'Ramnit' is a good
    example, as it is referred to variously as trojan, worm, and virus all
    over the web. I understand that different components get different
    detection names, and definitions for these various terms abound. :)

    Thanks for your clarification.
     
    FromTheRafters, Jan 8, 2012
    #10
  11. Virus Guy

    Dustin Guest

    I suspect that's due primary to the non technical writers classifying
    everything as a trojan. At some point, the av/am community just puts their
    arms up in the air. You can lead a horse to water, but short of drowning
    him, you can't make him drink it.
     
    Dustin, Jan 8, 2012
    #11
  12. [...]
    You can lead a horse to water, but short of drowning
    LOL, yep.
     
    FromTheRafters, Jan 8, 2012
    #12
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.