Security

Facing down the Ramnit virus on Facebook: Tips for protection and clean-up

Bob Eisenhardt explains how the Facebook virus Ramnit works, why it's so bad, and how it can affect much more than a Facebook account.

Ramnit is advertised as a lethal virus for attacking Facebook, having stolen 45,000 accounts and passwords. The virus itself is actually pulled from a used parts bin of older virus infestations such as the Zeus botnet. But it can now be controlled remotely for all kinds of mayhem too. According to Amit Klein, CTO of a web security services firm, last year it was just a nasty botnet. This new version has added power by being retrofitted with financial fraud capabilities. It can capture any data in any web session. Now, this writer has been a passionate HATER of cloud based computing, so in my view, having your data or (worse) sensitive client data stored through the Internet and accessed by HTML files, provides an open door for Ramnit, a truly awful threat to anything and everything web-based.

This monster begins by attaching itself to (as they always do) Windows files such as EXE, SCR and  good old DLL files (when can we rid ourselves of those?) as well as Word documents. HTML files are also in this group, and it can now discover our handy pocket friend: USB cards. Once it has this new home, an autorun script ensures infection of  whatever else our key is plugged into. Now resident in a system, it buries itself into the registry (nothing new there) and uses a hidden browser instance to connect to your friendly Hacker, and run scripts to find financial stuff and send it over to an eager thief. As Dr. Leonard McCoy said in STAR TREK IV: "Oh, joy."

Ramnit leaves behind some classic symptoms of a virus. One user posted a note that his laptop was now clean (I doubt it) but he had one file named "yghaubfg.exe" and a folder "qdpnkxvp" on his system under Downloads. I am always amazed that hackers employ such obvious and fraudulent names for the files, for which we may be thankful. The latter file and directory name seem standard for Ramnit.

Cleaning up after Ramnit

Technicians love to spend hours on diagnostics and discovering how things work. While interesting, I prefer sanity to extended effort, so I endorse using a BartPE boot CD to clean your system. Better yet, maintain a GHOST image of your primary operating system drive and also have a redundant system, a secondary computer, to act as your station in case your primary fails. (A note on my preferred system configuration: my stations have two hard drives: OPSYS and STORAGE. The operating system drive contains just that and nothing else. STORAGE stores literally "everything else" inclusive of a ghost image. I highly commend this protocol).

The removal process is otherwise complex. One expert ran Avast antivirus, and a 2 hour scan revealed 4,300 infected files. Believe me that while re-installation may be the only option at this point, I commend a ghost image as discussed just above as a FAR better solution for rebuilding. This expert was also worried about .DOC and .HTML files being infected, which is another good reason for an independent backup location. Rolling back the registry to a restore point did not work either, all points having been deleted. (But Windows search still had the doggie. Go figure). Trust me, spending 30 minutes for a ghost image restore is a bargain of time utilization and keeps the stress level low.

Remedies for Facebook

All of which means that Facebook is nothing more than a really great delivery system for Ramnit to find other places to burrow into, which makes Facebook so damn dangerous. The worst of it is that people  use it in their workplace. If your organization is into cloud computing, you have a really nice LEGAL exposure issue and a potential lawsuit in your future.

As for defense issues, the standard concepts of changing passwords every 30 days on Facebook is a good first, but simple step. A better step in the workplace is to lock out Facebook entirely, if it has no business use. There is an easy way to do this.

OpenDNS is a terrific web-management protocol, and has the paid program (inexpensive) has the ability to manage white and black lists. Implementing the DNS servers is simple. Once you have their DNS servers IP addresses, dig into the router or server, and replace your ISP DNS systems with their systems and voila! OpenDNS is your best friend. Dig into the Black list and add Facebook and whatever else you want. Users may scream, which is a good time to have them read not only this article but also anything describing the consequences of a lawsuit and unemployment benefits.

Danny Harris, security guru at Aon group, held a security seminar in 2003 that left the whole IT staff shaking their heads in shame. The bad guys are so good at what they do that our puny efforts seemed doomed to eternal failure. Case in point: virus code buried inside photographs that are impossible to see or detect. Same with the famous Facebook "two blondes" picture. Rule of thumb: someone sends you a picture: dump with freedom. The best rule is trust NOBODY and enjoy only your own photographs. On Facebook, this is a tall order indeed. Open a picture = hello Ramnit.

The root problem is that so we are Internet-web based for absolutely everything in life. Bill-paying is now the online way to live along with financial account access. Major banks have gotten better to a degree. If I try to access my accounts from another computer other than the one I have at home, the security protocols require a send and verify code to email, which is a great idea ... unless someone hijacks my email too (from Facebook) and can get the code and impersonate me (from Ramnit) which is not farfetched idea at all. It really makes me long for my old DOS 3.2 computer in some ways.

Having scared myself to pieces, I created a GHOST image of this computer. Took 10 minutes to create = same to restore if I have to. Trust me, this is a far better, less stressful method to repair a computer.

27 comments
santosh_cc
santosh_cc

Facebook is a the best way for sharing content, photographs with your friends, but there are few things that shouldn???t be shared on the world???s largest social networking website. I???ve written about 5 things you should never do on Facebook. Just get it here.

glitch177k
glitch177k

If you aren't on windows 7, get windows 7. If you're using xp you deserve viruses. With that said, there is a fairly simple implementation that can really safeguard against viruses and make cleanup pretty easy. When you first load windows 7, the default account is an admin account. Create a second account that is a basic user account and use that. If you need to install something, it will prompt you for credentials if it is accessing a critical area and you can enter the admin credentials. At that point, exercise common sense on what you install and you're fine. If you're merely using facebook and something prompts for your credentials, don't give them out. If you do manage to get a virus in this configuration, just boot into safe mode and rename your profile to something else and let your profile rebuild. Copy your safe docs and favorites over and you're back up and running. All of the keys that kick off the virus in this config won't kick off if you blow away the profile and start over.

Brainstorms
Brainstorms

1. Build your Windows machine in a virtual machine. (VirtualBox is good.) 2. Run either Linux (Ubuntu is good) or another copy of Windows as your base OS, and run VirtualBox (or other) for hosting your Windows guest. 3. Immediately after creating your Windows VM, back up the (clean) VM to a safe place. Make it read-only. You'll need it to re-install, like Ghost -- which you won't have to purchase. 4. If Windows is your base OS, uninstall all web browsers, etc. so that you are NOT tempted to access the Internet from your base OS. (The idea is to keep your base OS free of viruses...) 5. If/when your Windows VM gets infected, quarantine it and re-install your read-only backup VM. Note that you can spare yourself Step #4 and purchasing a second copy of Windows by using Linux as your base OS. You can surf the net with confidence from Linux. (At least for now... :^) You can also also use a "second instance" of your backed-up VM to "test drive" a website / download / Facebook page / application -- if it brings in a nasty, you just delete the VM afterwards, and go back to "business as usual".

eric.smith
eric.smith

I really think your point about someone hijacking your email account from facebook can be addressed in this way. Just like you do with your hard drives, and I do too, have a secondary email address. Never use the email address you use for social media sites like facebook, for your financial data accounts. I always use a designated email account for online purchases and bill pay and a second one for facebook...ect. Also, I go further by having a third account used exclusively for banking. Even if someone were to hijack your FB account they would have no info for your other accounts.

Gudufl
Gudufl

Bob, Your preferred system configuration: OPSYS and STORAGE. OPSYS contains OS and nothing else. Do I understand this correctly that all your application software (PROGRA~1), like word processor, spreadsheet, mail client, utilities etc. run on STORAGE? Or where you just not specific in your statement?

GuyOnTech
GuyOnTech

[quote]"A better step in the workplace is to lock out Facebook entirely, if it has no business use. There is an easy way to do this."[/quote] Banning Facebook in the enterprise is not an answer to the problem. As many I.T pro's of old would still tell you control is the admin's best friend, wrong, its a sure fire way to limit the users ability to work. Also preventing them from taking small 'social' breaks risks making the average employee even less productive. I agree that limitations have to be set for those employees that will abuse any 'open' I.T policy but banning a social network completely will make you public enemy number 1. A next generation firewall would be my first recommendation. A unified threat management (UTM) appliance that can anti-virus scan traffic at the gateway by using several different AV vendors offerings. Such a device can also be used to limit the time spent on social networks on an individual or group basis, with many UTM's linking with Active Directory for user management. Its about time I.T departments and old school I.T Pro's realised that old school techniques no longer apply to a modern world.

zyzygy
zyzygy

Data separation is a great idea in theory, but it is so hard to do in practice. Every app that runs on Windows tries to put it stuff into the C: drive by default. If there is some magic wand to change that default I'd love to know it.

harl_ey
harl_ey

Am not sure why any serious IT person would seriously condone using facebook as a form of legitimate communication. Anyone who has been through the internet revolution from its inception would agree that social media goes through phases. Facebook has just proven how not to express yourself socially. If you think that you can secure a PC through Internet Security - you can't. If you think that you can clean an infected PC - unlikely. People it is going to get worse before it gets better. Just don't use facebook or other social media. I have been fixing PC's for 20yrs and have seen more infections through facebook than any other form of media. Case example - an older lady client of mine only emailed on her pc. She never knew what a virus was or what email spam was - NEVER. She signed up for facebook - within MINUTES she received spam... spam had links to viruses... infected. Go get yourself a friend or two in real life, talk to them, and avoid social media.

kenmo
kenmo

...a boot CD based system for all my sensitive stuff like banking, payments, etc. When I turn it off... poof, away goes everything. I think in light of this new malware, I'll also use the same setup to access FB (in a different session from above type stuff of course) for safety's sake. Any of the bootable Linux distros will do for the purpose.

Litehouse
Litehouse

Why would we rid ourselves of DLLs? They are an important and very useful component to application development.

bobk1
bobk1

Is there a step-by-step cleanup process for Ramnit listed anywhere? If I send this out to friends, it will just scare them.

aflynnhpg
aflynnhpg

With 45,000 infected FB accounts with this malware alone, does FB not bear any responsibility in being a haven for malware infestation?

gwconner
gwconner

I also use the same technique of using one drive for the operating system only, and a second drive for data. I find it very helpful in that in the event of a catastrophic failure, I simply restore my OS from an image file. It has come to my rescue on several occasions.

jcinmarin
jcinmarin

Best defense is to just open Facebook in a vitual sandbox window. Then when you open a picture or some virus ladened object, it will just remain in the sandbox never to infect your computer.

Slayer_
Slayer_

Cause if so, I want to tell people. Also, is it Windows specific?

aaron.j.copley
aaron.j.copley

Since when is OpenDNS the end-all solution to content filtering in the enterprise? I've seen a handful of articles recently touting it's ability to block social media, streaming video, etc...

mikebertie
mikebertie

I checked after reading this post, and Norton already has the protection patch out and it is loaded on any machine that has automatic live update. As I often suspect, a good virus scanner will not only catch and disable most viruses on the fly, but will clean up equally well. No need to kill this ant with a sledgehammer...

jonrosen
jonrosen

Don't use that idiotic online crap

jp-dutch
jp-dutch

Rambling article, which leaves the main question unanswered. Do you get infected by just visiting facebook? Or do you have to perform certain actions? And why should I trust someting from http://www.nu2.nu/pebuilder/?? What country is that anyway?

JustinF
JustinF

This isn't a particularly useful piece, more of a vent/rant/opinionated piece than a useful technical article, sorry.

admiraljkb
admiraljkb

For myself personally, I run Ubuntu Desktop on bare metal, and Win7 inside a VM for the few apps that don't run under Ubuntu. This accomplishes a couple of things. [ol][*] Ubuntu is more secure by default and much less targeted to boot [*]if something happens with my Win7 "machine" from an infection (less likely to happen with it being isolated in a VM) to just a bad IT change control (just as bad), I just rollback to the last known good snapshot. Much faster than Ghost (or in my case Clonezilla).[/ol]

BALTHOR
BALTHOR

Facebook doesn't always add up to me.Probably Baghdad.

Michael Kassner
Michael Kassner

I agree with your assessment, but wanted to pass along a concern that I became aware of the hard way. You can image a drive all you want, but you have to make sure it's clean -- no sleepers. Otherwise you are right back where you started.

JJFitz
JJFitz

[quote] "As many I.T pro's of old would still tell you control is the admin's best friend, wrong, its a sure fire way to limit the users ability to work." [/quote] I really don't care if you call me old school. Experience has shown me that if you remove control on the desktop, you decrease productivity. Employees would install any application they wanted to create files and expect co-workers to have the expertise to use their application. Or worse, nobody could open the files their co-worker created. Then there are the games that get installed and the incompatible browsers, and the music players, and the file sharing applications, and the remote desktop sharing applications, and the stacks of toolbars in the browser. Then they would complain that their computer was slow and ask for a replacement. My Help Desk staff would spend most of their time undoing the mess that the users created on their desktops. No, I don't miss those days one bit. That being said, I don't mind it if users check in on Facebook every so often. As you say, you can put in controls (security appliances) to keep their computers out of harms way. But remove other controls? I say absolutely not.

mckinnej
mckinnej

I use the same strategy. Running the browser in something like Sandboxie is also a good thing.

JJFitz
JJFitz

After I set up a new system, I immediately create an image. Then I create a new image every week. (it's automated) If something goes wrong, I can go back to the newest clean image. It may be a pain sifting through images but it has saved me and it sure beats reinstalling the OS and starting from scratch.

admiraljkb
admiraljkb

I understand a kid thinking that the old timers are just fuddy duddys, but they have to understand that IT has a responsibility to the Executive Management, who have a responsibility to the Board of Directors who have a responsibility to the stockholders. Widespread mismanagement in IT at best will get people fired, at worst could land someone in jail, or even worse, bankrupt the company with everyone defacto "fired". A couple of high profile security breaches that are the result of Facebook worms, and you'll see the "looseygoosey" companies tighten back up real quick, along with a CIO or two released from their positions.

Editor's Picks