The worm was discovered by IT security provider Kaspersky Lab, which said the threat, Net-Worm.Win32.Koobface.b, is targeting Facebook users by creating spam messages and sending them to the infected user's friends via the site.
"Unfortunately, users are very trusting of messages left by 'friends' on social networking sites," said Alexander Gostev, senior virus analyst at Kaspersky Lab, in a statement. "So, the likelihood of a user clicking on a link like this is very high."
Computer security provider McAfee Labs agrees, and said the worm preys on the social aspects of the sites.
"It's important to note that spammed links leading to Koobface are likely to come from infected friends, reminiscent of early mass-mailing worms," the company said in its blog.
The first worm in this case, Net-Worm.Win32.Koobface.a, spreads when a user accesses his or her MySpace account. The worm creates commentaries to the user's friends' accounts.
Now, Net-Worm.Win32.Koobface.b is targeting Facebook users, creating spam messages and sending them to the infected user's friends via the Facebook site.
The messages and comments include texts such as "you look so amazing funny on our new video;" "Paris Hilton Tosses Dwarf On The Street;" "Examiners Caught Downloading Grades From The Internet;" "Hello; You must see it!!! LOL;" "My friend catched [sic] you on hidden cam;" "Is it really celebrity?" and several others.
The message and comments on Facebook include links to http://youtube.[skip].pl. However, if the user clicks on this link, he or sher is redirected to http://youtube.[skip].ru, a site that purportedly contains a video clip.
If the user tries to watch the clip, a message appears saying that he or she needs the latest version of Flash Player in order to watch the clip. However, instead of the latest version of Flash Player, a file called codecsetup.exe is downloaded to the victim's machine; this file is also a network worm.
The result is that users who have come to the site via Facebook will have the MySpace worm downloaded to their machines and vice versa.
Kaspersky detected these threats proactively and signatures were added to the database on July 31, 2008, the company said.
Even before the first virus struck, Kaspersky had forecast that there would be a proliferation of these problems.
"At the beginning of 2008 we predicted that we'd see an increase in cybercriminals exploiting MySpace, Facebook and similar sites, and we're now seeing evidence of this," said Gostev. "I'm sure that this is simply the first step, and that virus writers will continue to target these resources with increased intensity."
Facebook is already aware of this threat, McAfee Labs said, and the social networking site is purging the spammed links from its system.
To avoid the worm in the first place, McAfee advises users not to follow any unexpected links received over the Web, e-mail or IM, even if they are from someone you know. Ask for confirmation from the sender. Users should also install software and updates from the source, i.e., Adobe, instead of trusting content from a third-party Web site.
Facebook said that if accounts have been violated with the worm, users should use an online antivirus scanner and reset their password.
No comments:
Post a Comment