For most Facebook users, it's common to receive a message from a friend urging them to visit a page containing a video. But one video currently making the rounds appears on a Google page and will not play unless a new codec is downloaded and installed. The link provided on the Google page is not a video link, say researchers at Fortinet, but a link to a Trojan horse hosted on yet another server.
Guillaume Lovet, senior manager of Fortinet's security research team, told CNET News that Google sites were chosen because they have a well-regarded reputation and are unlikely to be blocked by spam or phishing filters. The Google page does not actually host the malware, only a link that connects the user with the malware host site.
In order to pull this off, the attackers had to register their own Google Reader accounts either by themselves, or through automated methods using phishing sites or so-called Captcha solvers. The Google pages, which were still live at press time, exist only to lead visitors to malicious sites.
For example, clicking the video takes the visitor to a "player" on a non-Google page where a message about a missing codec is displayed. Unsuspecting viewers might be tempted to download it. The codec is actually a Trojan, Lovet said.
He said the Trojan being used in this attack is a downloader that includes Browser Helper Objects (BHOs) related to fake security software, or "scareware." The scenario here is that users will see a virus warning on their computer, then a prompt that asks if they want to purchase some security product to remove the malware from the PC. The criminals take the users' money, but the computer remains infected (or never was infected).
Lovet said the downloader currently does not include a copy of the worm. The only way at the moment to get infected is via the Facebook messages. He suspects that's for a reason--that the attackers might try to sell the messages from Facebook to others to spread their own malware.
A Google representative said, "Google works actively to detect and remove accounts that serve or link to malware. We're investigating reports we've received on this issue and are committed to shutting down any accounts that violate our guidelines."