Facebook Ramnit malware still in circulation

Facebook is a well known target for pretty much everything these days, so it’s no surprise that a worm called Ramnit that first appeared in the wild and on social websites back in 2010 has now stolen over 45,000 Facebook passwords. It’s not only Facebook that has been under attack. Online banking customers have also been targeted. I’ve seen Ramnit in operation (even with antivirus running in the background) and it is a very destructive piece of malware which if left on your system will infect thousands of files and can make your system irreparable. It’s therefore impossible to suggest one method will work for removal/cleaning of this malware. That said, if you read on I will make some simple suggestions. 🙂

Ramnit was devised* to steal your Facebook login credentials (using a keylogger) and then use the hijacked account to send malicious URLs to your friends and your friends friends. Facebook with it’s 800m+ members is an ideal online location for fast spreading (viralling) of malicious activities. Password stealing malware/worms/Trojans are nothing new, but given that people use the same password for multiple websites (and upload large amounts of personal and behaviour ‘habit’ data), it ‘s easy to see why Facebook is such a lucrative target for the malware writers.

The Ramnit malware is part of a ‘malware family’ (as most malware is re-engineered on a regular basis i.e. adding new malware modules/variants to evade detection by antivirus engines – this is also known as obfuscation). Ramnit variants are appearing all the time which makes detection and cleaning rather more difficult. Ramnit also infects HTML files, stealing stored FTP credentials and browser cookies as well as opening back-doors. Anyone for HTML5?.

I suggest you run a full antivirus scan in safemode with networking along with installing/running a full Malwarebytes scan and remove the unwanted/malicious files that way first. In addition I would also use HijackThis (Trend Micro) which will create an in-depth text report of any system settings that have been changed. You can then send this data to your antivirus vendor for analysis.

If that isn’t successful (or you notice your system is slow or is still behaving oddly), I’d suggest reinstalling Windows from scratch as you cannot take any risks that an infected file(s) still remains.

Bootnote: *Ramnit wasn’t specifically devised to attack Facebook users, however the main attack vector is Facebook for the reasons mentioned in this post.

Safe surfing folks!


This entry was posted in facebook, malware, privacy and tagged . Bookmark the permalink.

5 Responses to Facebook Ramnit malware still in circulation

  1. Pingback: Facebook Ramnit malware still in circulation | News | IT Security Magazine - Hakin9 www.hakin9.org

  2. Herpy J. Derp says:

    How about, instead of writing an empty fear-mongering “article”, void of any useful information whatsoever, you actually write something useful, such as describing *how* this supposed worm actually infects you? Y’know? So that people can guard against it?

    Is it from visiting a malicious website? Is it by having port 34521 left open? Does it come as a trojan packaged in malicious torrents?

    Yours derpilly,


    • Julian says:

      #Herpy# Suggestions were made in the post regarding simple free methods of protecting a user from the Ramnit worm (which might I add is more than mainstream online/print media currently provides). It’s not “scare or fear mongering” as you put it. It’s meant to be factual, current and relevant which it is.

      • Cate says:

        Well I can vouch for the article not being fearmongering because I got the Ramnit virus and almost nothing could kill it, even Malwarebytes, it’s really sneaky. It also doesn’t like google or anything to do with google. Pretty much all the suggested fixes ended up being duds but Windows Defender Offline seems to have killed it although only time will tell. It’s an evil virus and I’d like to get my hands on its author/s. I should mention that I have full anti-virus (AVG Pro) protection and it got right past it undetected. It launches itself as Windows Command Processor so watch out for that.

        • Julian says:

          #Cate# I don’t do scaremongering – well at least I hope not. I’m hoping my extensive security knowledgebase will benefit all my readers. I also benefit from my readers knowledgebase – it’s a two way thing. 🙂 Some may also consider a career in security too.

Leave a Reply

Your email address will not be published. Required fields are marked *