January 23, 2012, 12:55 PM PST
Takeaway: Bob Eisenhardt explains how the Facebook virus Ramnit works, why it’s so bad, and how it can affect much more than a Facebook account.
Ramnit is advertised as a lethal virus for attacking Facebook, having stolen 45,000 accounts and passwords. The virus itself is actually pulled from a used parts bin of older virus infestations such as the Zeus botnet. But it can now be controlled remotely for all kinds of mayhem too. According to Amit Klein, CTO of a web security services firm, last year it was just a nasty botnet. This new version has added power by being retrofitted with financial fraud capabilities. It can capture any data in any web session. Now, this writer has been a passionate HATER of cloud based computing, so in my view, having your data or (worse) sensitive client data stored through the Internet and accessed by HTML files, provides an open door for Ramnit, a truly awful threat to anything and everything web-based.
This monster begins by attaching itself to (as they always do) Windows files such as EXE, SCR and good old DLL files (when can we rid ourselves of those?) as well as Word documents. HTML files are also in this group, and it can now discover our handy pocket friend: USB cards. Once it has this new home, an autorun script ensures infection of whatever else our key is plugged into. Now resident in a system, it buries itself into the registry (nothing new there) and uses a hidden browser instance to connect to your friendly Hacker, and run scripts to find financial stuff and send it over to an eager thief. As Dr. Leonard McCoy said in STAR TREK IV: “Oh, joy.”
Ramnit leaves behind some classic symptoms of a virus. One user posted a note that his laptop was now clean (I doubt it) but he had one file named “yghaubfg.exe” and a folder “qdpnkxvp” on his system under Downloads. I am always amazed that hackers employ such obvious and fraudulent names for the files, for which we may be thankful. The latter file and directory name seem standard for Ramnit.
Cleaning up after Ramnit
Technicians love to spend hours on diagnostics and discovering how things work. While interesting, I prefer sanity to extended effort, so I endorse using a BartPE boot CD to clean your system. Better yet, maintain a GHOST image of your primary operating system drive and also have a redundant system, a secondary computer, to act as your station in case your primary fails. (A note on my preferred system configuration: my stations have two hard drives: OPSYS and STORAGE. The operating system drive contains just that and nothing else. STORAGE stores literally “everything else” inclusive of a ghost image. I highly commend this protocol).
The removal process is otherwise complex. One expert ran Avast antivirus, and a 2 hour scan revealed 4,300 infected files. Believe me that while re-installation may be the only option at this point, I commend a ghost image as discussed just above as a FAR better solution for rebuilding. This expert was also worried about .DOC and .HTML files being infected, which is another good reason for an independent backup location. Rolling back the registry to a restore point did not work either, all points having been deleted. (But Windows search still had the doggie. Go figure). Trust me, spending 30 minutes for a ghost image restore is a bargain of time utilization and keeps the stress level low.
Remedies for Facebook
All of which means that Facebook is nothing more than a really great delivery system for Ramnit to find other places to burrow into, which makes Facebook so damn dangerous. The worst of it is that people use it in their workplace. If your organization is into cloud computing, you have a really nice LEGAL exposure issue and a potential lawsuit in your future.
As for defense issues, the standard concepts of changing passwords every 30 days on Facebook is a good first, but simple step. A better step in the workplace is to lock out Facebook entirely, if it has no business use. There is an easy way to do this.
OpenDNS is a terrific web-management protocol, and has the paid program (inexpensive) has the ability to manage white and black lists. Implementing the DNS servers is simple. Once you have their DNS servers IP addresses, dig into the router or server, and replace your ISP DNS systems with their systems and voila! OpenDNS is your best friend. Dig into the Black list and add Facebook and whatever else you want. Users may scream, which is a good time to have them read not only this article but also anything describing the consequences of a lawsuit and unemployment benefits.
Danny Harris, security guru at Aon group, held a security seminar in 2003 that left the whole IT staff shaking their heads in shame. The bad guys are so good at what they do that our puny efforts seemed doomed to eternal failure. Case in point: virus code buried inside photographs that are impossible to see or detect. Same with the famous Facebook “two blondes” picture. Rule of thumb: someone sends you a picture: dump with freedom. The best rule is trust NOBODY and enjoy only your own photographs. On Facebook, this is a tall order indeed. Open a picture = hello Ramnit.
The root problem is that so we are Internet-web based for absolutely everything in life. Bill-paying is now the online way to live along with financial account access. Major banks have gotten better to a degree. If I try to access my accounts from another computer other than the one I have at home, the security protocols require a send and verify code to email, which is a great idea … unless someone hijacks my email too (from Facebook) and can get the code and impersonate me (from Ramnit) which is not farfetched idea at all. It really makes me long for my old DOS 3.2 computer in some ways.
Having scared myself to pieces, I created a GHOST image of this computer. Took 10 minutes to create = same to restore if I have to. Trust me, this is a far better, less stressful method to repair a computer.