Facebook Hit By Classic Worm Attack

Zeus Trojan spreads when user views 'photos'; Facebook now blocking malicious domains spreading the attack

Dark Reading Staff, Dark Reading

November 30, 2011

2 Min Read
Dark Reading logo in a gray background | Dark Reading

A worm spreading via Facebook infects victims with a variant of the dangerous Zeus Trojan. The attack, which was first discovered by researchers at CSIS in Denmark, spreads via phony posts from an infected Facebook user's account that pretends to contain photos.

Like previous Facebook scams, it uses stolen account credentials to log in and then spam the victim account's "Friends" with the malicious posts. While a screenshot of the file appears to have a .jpg suffix, it's really a malicious screensaver file, according to Jovi Umawing, a security expert at GFI Software.

"Once run, it drops a cocktail of malicious files onto the system, including ZeuS, a popular Trojan spyware capable of stealing user information from infected systems," Umawing wrote in a blog post today. "The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as Oracle VM VirtualBox and VMWare."

Facebook has blocked the offending domains spreading the Trojan. "We are constantly monitoring the situation and are in the process of blocking domains as we discover them. We have internal systems in place configured specifically to monitor for variations of the spam and are working with others across the industry to pursue both technical and legal avenues to fight the bug," a Facebook spokesperson says.

The worm plays perfectly into Facebook's environment, security experts say.

"Facebook is built to easily allow people to share pictures, videos, and other content -- and people trust what they are receiving from their friends," says Mike Geide, senior security researcher at Zscaler ThreatLabZ Malware. "[For example], this recent example can take advantage of the sharing mechanisms and user's trust of their friends within social networking."

Meanwhile, new research published today from Norman ASA found that Zeus-based attacks are actually on the decline this year: While there were 20,000 Zeus-related incidents in January, according to Norman, there were "nearly negligible levels" of Zeus threats discovered in September.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Read more about:

2011

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights