July 31st, 2008

Web worms squirm through Facebook, MySpace

Posted by Ryan Naraine @ 4:31 pm

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Exploit code, Facebook, Flash, Hackers, Malware, Passwords, Phishing, Social Networking Applications, Spam and Phishing, Viruses and Worms, Vulnerability research

Tags: Web, Facebook, Kaspersky Lab, Network, Macromedia Flash Player, Social Engineering, Worm, MySpace, Victim Machine, Cyberthreats

My colleagues at Kaspersky Lab (see disclosure) have intercepted two new worms squirming through MySpace and Facebook, using social engineering lures to plant malware on Windows systems.

The worms propagate via the comments features on the two popular social networks, using video lures and fake Flash Player downloads to trick end users into installing malicious executables.

As part of their malicious payload, the worms transform victim machines into zombie computers to form botnets. Even though the worms are currently only infecting MySpace and Facebook users, Kaspersky Lab analysts are warning users that the worms are designed to upload additional malicious modules with other functionality via the Internet. It is highly probable that victim machines will not only be used for spreading links via these social networking sites, but the botnets will also be used for other malicious purposes.

Some of the messages and comments posted to the social network sites include:

• Paris Hilton Tosses Dwarf On The Street
• Examiners Caught Downloading Grades From The Internet
• Hello; You must see it!!! LOL. My friend catched you on hidden cam
• Is it really celebrity? Funny Moments and many others.

The messages and comments include links to a fake YouTube-like site. Clicking on the link redirects the targer to another YouTube clone fitted with a note to download the latest version of Adobe’s Flash Player.

However, instead of the latest version of Flash Player, a file called codesetup.exe is downloaded to the victim machine; this file is also a network worm.  Kaspersky said its security suite detected the threats proactively and signatures were added to the database on July 31, 2008.

The use of Flash Player downloads as the social engineering enticement is interesting. For the most part, malicious hackers have used fake codecs alongside video lures but, since Flash Player downloads are a normal part of the Web surfing experience, the likelihood that end users fall for this latest trick is rather high.

As usual, if you’re on a social networking site, you are encouraged to pay close attention to executables downloaded to Windows machines, keep your machine fully patched and run updated anti-malware software.

* Image source: Gastev’s Flickr photostream (Creative Commons 2.0)