Facebook worm feeds off Google's reputation

New worm crawling Facebook accounts leads victims to "videos" on Google Reader and Google Picasa pages that in turn link to malicious server sites.

Researchers at Fortinet say you can't view this video because it's really a Trojan horse. Fortinet

For most Facebook users, it's common to receive a message from a friend urging them to visit a page containing a video. But one video currently making the rounds appears on a Google page and will not play unless a new codec is downloaded and installed. The link provided on the Google page is not a video link, say researchers at Fortinet, but a link to a Trojan horse hosted on yet another server.

Guillaume Lovet, senior manager of Fortinet's security research team, told CNET News that Google sites were chosen because they have a well-regarded reputation and are unlikely to be blocked by spam or phishing filters. The Google page does not actually host the malware, only a link that connects the user with the malware host site.

In order to pull this off, the attackers had to register their own Google Reader accounts either by themselves, or through automated methods using phishing sites or so-called Captcha solvers. The Google pages, which were still live at press time, exist only to lead visitors to malicious sites.

For example, clicking the video takes the visitor to a "player" on a non-Google page where a message about a missing codec is displayed. Unsuspecting viewers might be tempted to download it. The codec is actually a Trojan, Lovet said.

He said the Trojan being used in this attack is a downloader that includes Browser Helper Objects (BHOs) related to fake security software, or "scareware." The scenario here is that users will see a virus warning on their computer, then a prompt that asks if they want to purchase some security product to remove the malware from the PC. The criminals take the users' money, but the computer remains infected (or never was infected).

Lovet said the downloader currently does not include a copy of the worm. The only way at the moment to get infected is via the Facebook messages. He suspects that's for a reason--that the attackers might try to sell the messages from Facebook to others to spread their own malware.

A Google representative said, "Google works actively to detect and remove accounts that serve or link to malware. We're investigating reports we've received on this issue and are committed to shutting down any accounts that violate our guidelines."

Fortinet says you can tell the dialog box is from a Slavic country because of the lack of definite articles. Fortinet

Featured Video
6
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

New Google OnHub router is one of a kind

Reviewing the search giant's sleek and super-cool OnHub home router (while totally and completely trusting Google with personal info).

by Dong Ngo