Facebook worm feeds off Google's reputation

New worm crawling Facebook accounts leads victims to "videos" on Google Reader and Google Picasa pages that in turn link to malicious server sites.

Researchers at Fortinet say you can't view this video because it's really a Trojan horse. Fortinet

For most Facebook users, it's common to receive a message from a friend urging them to visit a page containing a video. But one video currently making the rounds appears on a Google page and will not play unless a new codec is downloaded and installed. The link provided on the Google page is not a video link, say researchers at Fortinet, but a link to a Trojan horse hosted on yet another server.

Guillaume Lovet, senior manager of Fortinet's security research team, told CNET News that Google sites were chosen because they have a well-regarded reputation and are unlikely to be blocked by spam or phishing filters. The Google page does not actually host the malware, only a link that connects the user with the malware host site.

In order to pull this off, the attackers had to register their own Google Reader accounts either by themselves, or through automated methods using phishing sites or so-called Captcha solvers. The Google pages, which were still live at press time, exist only to lead visitors to malicious sites.

For example, clicking the video takes the visitor to a "player" on a non-Google page where a message about a missing codec is displayed. Unsuspecting viewers might be tempted to download it. The codec is actually a Trojan, Lovet said.

He said the Trojan being used in this attack is a downloader that includes Browser Helper Objects (BHOs) related to fake security software, or "scareware." The scenario here is that users will see a virus warning on their computer, then a prompt that asks if they want to purchase some security product to remove the malware from the PC. The criminals take the users' money, but the computer remains infected (or never was infected).

Lovet said the downloader currently does not include a copy of the worm. The only way at the moment to get infected is via the Facebook messages. He suspects that's for a reason--that the attackers might try to sell the messages from Facebook to others to spread their own malware.

A Google representative said, "Google works actively to detect and remove accounts that serve or link to malware. We're investigating reports we've received on this issue and are committed to shutting down any accounts that violate our guidelines."

Fortinet says you can tell the dialog box is from a Slavic country because of the lack of definite articles. Fortinet

Tags:
Security
About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

     

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments
    Latest Galleries from CNET
    10 mobile gadgets gone gonzo (pictures)
    Apple in 2014: iPhone 6, iCloud hack, Beats and more (pictures)
    The 12 most distinctive phones of 2014 (pictures)
    Best mobile games of 2014
    Nissan gives new Murano bold style (pictures)
    Top great space moments in 2014 (pictures)