'Hocus Pocus 2' Review Wi-Fi 6 Router With Built-In VPN Sleep Trackers Capital One Claim Deadline Watch Tesla AI Day Student Loan Forgiveness Best Meal Delivery Services Vitamins for Flu Season
Want CNET to notify you of price drops and the latest stories?
No, thank you

Facebook worm feeds off Google's reputation

New worm crawling Facebook accounts leads victims to "videos" on Google Reader and Google Picasa pages that in turn link to malicious server sites.

Researchers at Fortinet say you can't view this video because it's really a Trojan horse.

For most Facebook users, it's common to receive a message from a friend urging them to visit a page containing a video. But one video currently making the rounds appears on a Google page and will not play unless a new codec is downloaded and installed. The link provided on the Google page is not a video link, say researchers at Fortinet, but a link to a Trojan horse hosted on yet another server.

Guillaume Lovet, senior manager of Fortinet's security research team, told CNET News that Google sites were chosen because they have a well-regarded reputation and are unlikely to be blocked by spam or phishing filters. The Google page does not actually host the malware, only a link that connects the user with the malware host site.

In order to pull this off, the attackers had to register their own Google Reader accounts either by themselves, or through automated methods using phishing sites or so-called Captcha solvers. The Google pages, which were still live at press time, exist only to lead visitors to malicious sites.

For example, clicking the video takes the visitor to a "player" on a non-Google page where a message about a missing codec is displayed. Unsuspecting viewers might be tempted to download it. The codec is actually a Trojan, Lovet said.

He said the Trojan being used in this attack is a downloader that includes Browser Helper Objects (BHOs) related to fake security software, or "scareware." The scenario here is that users will see a virus warning on their computer, then a prompt that asks if they want to purchase some security product to remove the malware from the PC. The criminals take the users' money, but the computer remains infected (or never was infected).

Lovet said the downloader currently does not include a copy of the worm. The only way at the moment to get infected is via the Facebook messages. He suspects that's for a reason--that the attackers might try to sell the messages from Facebook to others to spread their own malware.

A Google representative said, "Google works actively to detect and remove accounts that serve or link to malware. We're investigating reports we've received on this issue and are committed to shutting down any accounts that violate our guidelines."

Fortinet says you can tell the dialog box is from a Slavic country because of the lack of definite articles. Fortinet