Facebook Worm drives by Google Reader and Picasa (updated)
Since end of July 2008, worms targeting Facebook users have been spotted here and there. The strategy has been simple, yet effective: A malicious message is sent to friends of the infected user, prompting them to visit a page carrying an online video – something utterly common in today’s Web 2.0 era. However, should the targeted users follow the link, they would soon find out the video does not start…. unless they install a special codec, as prompted for by the page! As a matter of course, the said codec is nothing else than a Trojan, loading various malware pieces, possibly including a copy of the worm.
Very recently, an interesting bit was added to the attack’s social engineering strategy: As can be seen on Figure 1 below, the link in the malicious, rogue message points to Google.
Figure 1: Notice the intentionally apocalyptic spelling of the message’s title, which could aim at fooling Facebook filters
Upon clicking it, the targeted user is indeed brought to a Google Reader share, seen on Figure 2 below:
Figure 2: This seems to be more than just a tongue-in-cheek video
Google Reader is a news reader allowing its users to share the news they find interesting with their social network (in buzz words, this is a Web 2.0-enabled news reader), and with the public via their “shares” page. It appears that cyber criminals behind the Facebook worms registered Google Reader accounts (either manually, or automatically via phishing operations or automated CAPTCHA solvers) for the sole purpose of loading them with links to malicious sites. Indeed, upon clicking on the tempting video frame seen in the News Reader on Figure 2, the victim is redirected to a classic fake-codec (W32/Zlob.NKX!tr.dldr), Trojan enabled site:
Figure 3: The lack of definitive articles indicates this is the work of Slavic hackers
This “hop” via a Google Reader share serves an essential purpose: it gives the targeted user the feeling that the video is hosted on Google. Thus it must be safe. Combo that with the “it’s a message from a friend” factor, which naturally lowers down users’ wariness shields, and you get quite a good chance of seeing your victim perform the dreaded click.
Update (October 29, 2008):
The cyber criminals behind this scheme are now using Google Picasa to lure targeted users, with the URL in the suspect Facebook messages now being:
http://picasaweb.google.com/[removed]/Youtube#52610132498569990
There, the same video screen grab is displayed and users are enticed to follow the link of the caption:
Figure 4: Pro-Tip: You can’t open it because it’s a Trojan, not because you miss the codecs
After checking, it appears that allowing links in picture captions is really Picasa feature, which could potentially introduce more security threats. Which leads to the question: Is this functionality worth the potential risks if rogue Picasa users post malicious URLs?
Fortinet customers who subscribe to Fortinet¡¦s antivirus and Web content filtering services should be protected against these threats. Fortinet¡¦s antivirus and Web content filtering services are two components of FortiGuard Subscription Services, which also offer comprehensive solutions such as IPS and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat’s lifecycle.
Acknowledgement:
Guillaume Lovet of Fortinet’s FortiGuard Global Security Research Team
URL: http://www.fortiguardcenter.com/advisory/FGA-2008-26.html