What was once a worm used to commit financial fraud, Ramnit is now infecting more than 45,000 Facebook accounts, according to the security firm Seculert.
In stealing the login credentials from accounts, mostly in France and and the U.K., Seculert believes that the worm is being used to hack into accounts and transmit malware in the form of links to friends.
Seculert has more on the worm's history:
Discovered in April 2010, the Microsoft Malware Protection Center (MMPC) described Ramnit as “a multi-component malware family which infects Windows executable as well as HTML files”, “stealing sensitive information such as stored FTP credentials and browser cookies”. In July 2011 a Symantec report [PDF] estimated that Ramnit worm variants accounted for 17.3 percent of all new malicious software infections.
In August 2011, Trusteer reported that Ramnit went 'financial'. Following the leakage of the ZeuS source-code in May, it has been suggested that the hackers behind Ramnit merged several financial-fraud spreading capabilities to create a "Hybrid creature" which was empowered by both the scale of the Ramnit infection and the ZeuS financial data-sniffing capabilities. This synergy has enabled Ramnit to bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, compromise online banking sessions and penetrate several corporate networks. With the use of a Sinkhole, we discovered that approximately 800,000 machines were infected with Ramnit from September to end of December 2011.
The worm affecting Facebook is cited as a completely new version. Slashgear describes the worm as changing ever since it was spotted in 2010 and states that all Ramnit variations account for 17.3 percent of all total software infections.
The firm also thinks that in gaining passwords of these accounts, it could be taking advantage of users who don't change their passwords for other accounts such as Gmail, Corporate SSL VPN and Outlook Web Access.
Update: Facebook has come out to say that most of the passwords stolen were "out of date." In a statement, the social networking site says that it is taking steps to help those who were affected though.
[H/T Ars Technica]