The BullGuard products and services are part of NortonLifeLock Inc., a global leader in consumer Cyber Safety with a portofolio of brands including Norton, Avira and more. Learn more at

Meet Ramnit, the recycled worm - BullGuard


Meet Ramnit, the recycled worm RT @BullGuard Meet Ramnit, the recycled computer #worm Meet Ramnit, the recycled worm - BullGuard

Right now, in some corner of the world, there’s a cybercriminal thinking of some new scheme to outsmart people’s antivirus protection (where there is any) and get to their sensitive information. And recycling older versions of malware to match current context seems to be more convenient than developing new threats from scratch. This is the case with Ramnit, the “recycled computer worm”, as we call it.


Ramnit is a computer worm that infects Windows executables, Microsoft Office and HTML files. If you don’t have proper antivirus protection on your PC, it can steal user names, passwords, browser cookies, and allow hackers to do other malicious actions on an infected computer. Worth noting is the fact that unlike computer viruses, computer worms can replicate themselves without having to be attached to an existing program. This ability of Ramnit makes it spread copies of itself very rapidly online.



“Worming” its way up to Facebook


The story of Ramnit began in April 2010, when cybercrooks used it to steal FTP credentials and browser cookies from infected machines. In August 2011, a more “powerful” variant of the worm was unleashed in the financial world. The new Ramnit was able to bypass two-factor authentication and transaction signing systems, gain remote access to financial institutions, online banking sessions and corporate networks. January 2012 brought about the social variant of Ramnit, which primarily hit Facebook users in the UK and France. It started stealing their login credentials and using the hacked account to share the Ramnit worm infection with users’ friends. Supposedly, once the attackers took hold of those credentials, they started checking whether the victims used their Facebook credentials on other accounts – Gmail, Outlook Web Access, bank account, corporate e-mail and VPN systems – and in such cases, they breached those accounts too. Thus, their attack reached a larger scope, targeting individuals as well as companies.


Targeting for what? – Hijacking sensitive information or high-value personal and corporate credentials, and then using them as their own or selling them on the online black market.



Hackers recycle too. What? Malware, naturally…


Given the viral power of social media, attacking social networks seems a more productive way to gather private data. And the attackers behind Ramnit have spotted this opportunity and acted accordingly: they’ve taken an older variant of Ramnit, updated it with new capabilities from the notorious Zeus Trojan, and changed the “spreading channel” – social media instead of the traditional e-mail spam – for wider propagation.

Ramnit’s rapid evolution is just one example of how malware writers can use older versions of malware and “perk them up” to make them more efficient or in line with new hacking opportunities. Other such cases, involving computer worms or other malware, are likely to rise in the future. And non-existent antivirus protection certainly renders computers vulnerable to them.



How to avoid damages caused by Ramnit


Don’t use the same password or username for multiple accounts and certainly not the same password for both your Facebook and your bank account.


Be wary of the links you click on and the file attachments you receive. You can avoid the social variant of the Ramnit worm by not clicking on every link or opening every file your Facebook contacts share. Especially if it’s a contact you barely know. Also, avoid links or files sent via e-mail by contacts you barely communicate with. Some of them can direct you to infected websites, which download the worm to your computer. In such cases, antivirus protection is a must!


It’s recommended that service providers use multifactor authentification for users logging in to their sites. The social variant of Ramnit proves that some users can have not one, but multiple accounts hacked, because they use the same login credentials. So the service providers’ sites can also be affected.


Infections with some variants of the Ramnit worm can cause: redirections of internet searches, changes of browser homepage settings, computer slow-downs, unwanted pop-ups.

If your computer shows such symptoms, prompt your antivirus software to scan all your files.


Make sure you have an effective antivirus software on your computer, such as BullGuard Antivirus 12. Thanks to its state-of-the-art behavioural detection technology added to traditional malware detection methods, BullGuard Antivirus 12 can spot even unknown (yet) types of viruses, worms and other malware based on how they “act” within a computer. We’ll most certainly hear of other variants of the Ramnit worm in the future, so it’s best to go for proactive antivirus software. Prevention is always netter than cure!

Was this article helpful?