Dodgy Facebook Messages Link To Worms

If a dodgy message from a friend pops up in Facebook, chances are that it's a link to a nasty worm. Discovered by the FortiGuard Global Security Research Team, the worm itself doesn't reside in Facebook or any of it's applications. Using the old "click here" hoax, users who click through the links in the said dodgy message will be directed to a Google Reader page. Once there, Google Reader will ask you to download a "codec" in order to view the contents of the page - but surprise, surprise - the "codec" that you're downloading is in actual fact, a worm!
Thanks for the heads up Fortinet. Read on for the full press release.

Facebook Worm Drives by Google Reader

MALAYSIA, 30 October 2008 – Fortinet - the pioneer and leading provider of unified threat management (UTM) solutions - today announced that its FortiGuard Global Security Research Team discovered a Facebook worm that is trying to leverage Google Reader to gain trust in visitors with an intention to download a malicious codec onto their machines.


Since end of July 2008, worms targeting Facebook users have been spotted here and there. The strategy has been simple, yet effective: A malicious message is sent to friends of the infected user, prompting them to visit a page carrying an online video - something utterly common in today's Web 2.0 era. However, should the targeted users follow the link, they would soon find out the video does not start.... unless they install a special codec, as prompted for by the page! As a matter of course, the said codec is nothing else than a Trojan, loading various malware pieces, possibly including a copy of the worm.

As can be seen on Figure 1 below, the link in the malicious, rogue message points to Google.

Figure 1: Notice the intentionally apocalyptic spelling of the message's title, which could aim at fooling Facebook filters

Upon clicking it, the targeted user is indeed brought to a Google Reader share, seen on Figure 2 below:

Figure 2: This seems to be more than just a tongue-in-cheek video

Google Reader is a news reader allowing its users to share the news they find interesting with their social network (in buzz words, this is a Web 2.0-enabled news reader), and with the public via their "shares" page. It appears that cyber criminals behind the Facebook worms registered Google Reader accounts (either manually, or automatically via phishing operations or automated CAPTCHA solvers) for the sole purpose of loading them with links to malicious sites. Indeed, upon clicking on the tempting video frame seen in the News Reader on Figure 2, the victim is redirected to a classic fake-codec (W32/Zlob.NKX!tr.dldr), Trojan enabled site:

Figure 3: The lack of definitive articles indicates this is the work of Slavic hackers

“This ‘hop’ via a Google Reader share serves an essential purpose: it gives the targeted user the feeling that the video is hosted on Google. Thus it must be safe. Combo that with the ‘it's a message from a friend’ factor, which naturally lowers down users' wariness shields, and you get quite a good chance of seeing your victim perform the dreaded click,” said Guillaume Lovet, Senior Manager of Fortinet's FortiGuard Global Security Research Team.

Fortinet customers who subscribe to Fortinet’s antivirus and Web content filtering services should be protected against this threat. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.