Facebook Worm Drives by Google Reader

MALAYSIA, 30 October 2008 – Fortinet - the pioneer and leading provider of unified threat management (UTM) solutions - today announced that its FortiGuard Global Security Research Team discovered a Facebook worm that is trying to leverage Google Reader to gain trust in visitors with an intention to download a malicious codec onto their machines.

Since end of July 2008, worms targeting Facebook users have been spotted here and there. The strategy has been simple, yet effective: A malicious message is sent to friends of the infected user, prompting them to visit a page carrying an online video - something utterly common in today's Web 2.0 era. However, should the targeted users follow the link, they would soon find out the video does not start.... unless they install a special codec, as prompted for by the page! As a matter of course, the said codec is nothing else than a Trojan, loading various malware pieces, possibly including a copy of the worm.

Google Reader is a news reader allowing its users to share the news they find interesting with their social network (in buzz words, this is a Web 2.0-enabled news reader), and with the public via their "shares" page. It appears that cyber criminals behind the Facebook worms registered Google Reader accounts (either manually, or automatically via phishing operations or automated CAPTCHA solvers) for the sole purpose of loading them with links to malicious sites. Indeed, upon clicking on the tempting video frame seen in the News Reader on Figure 2, the victim is redirected to a classic fake-codec (W32/Zlob.NKX!tr.dldr), Trojan enabled site.

“This ‘hop’ via a Google Reader share serves an essential purpose: it gives the targeted user the feeling that the video is hosted on Google. Thus it must be safe. Combo that with the ‘it's a message from a friend’ factor, which naturally lowers down users' wariness shields, and you get quite a good chance of seeing your victim perform the dreaded click,” said Guillaume Lovet, Senior Manager of Fortinet's FortiGuard Global Security Research Team.

Fortinet customers who subscribe to Fortinet’s antivirus and Web content filtering services should be protected against this threat. Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.