RealTime IT News

Facebook Worm Redux Taps Google Sites

Once again, social networking site Facebook has been hit by the Koobface worm, which has been used to attack it several times since July.

This latest attack, discovered by security vendor Fortinet, sends a message to users' Facebook friends urging them to click to view a video uploaded to either Google's Picasa photo-sharing site or to a shared video in Google Reader RSS feed aggregation site.

When victims try to do so, an error message pops up, asking them to download a new version of "Video ActiveX Object" so they can view the video. The Video ActiveX Object is a known malware application that helps spread Trojans Zlob and Smitfraud.

The disclosure comes as the latest high-profile attack built around major, widely regarded sites. The fact that hackers are using Google's (NASDAQ: GOOG) Reader and Picasa sites is by design, in an effort to make the worm more likely to spread.

"Google is a trusted brand, so people are more likely to try to download the video," Guillaume Lovet, senior manager of Fortinet's security research team, told InternetNews.com. As a result, Lovet said he thinks Facebook will find this attack difficult to deal with.

"Their security policies are not going to blacklist Google or filter out links to Google sites, which have a high reputation," he said. Many antispam and antivirus software filters out or blocks URLs based on their reputation or ranking. The more secure and trusted a site is, the higher its reputation.

The worm has been kicking around for several months in various permutations but following a similar strategy. In early August, it resurfaced when hackers posted messages on Facebook users' sites, urging visitors to view a video purported to be hosted by Google or YouTube.

Clicking on the video downloaded a worm, and Facebook said a slim minority -- about 220,000 of its 110 million users -- were affected.

Barry Schnitt, a Facebook spokesperson, agreed with Lovet that Facebook will not cut off access to Google links as a result of the renewed round of attacks. However, he also said that the problem remains challenging for Facebook.

"It's difficult to deal with because the cybercriminals are changing the links they send people to, and the way they reach people, and they're very good at hiding the worm, especially using trusted sites like Google Reader," Schnitt told InternetNews.com.

Fortinet has already notified Google and Facebook about the latest attack, it said, while Schnitt confirmed that Facebook is talking to Google about closing the redirects from the Koobface worm. It's unclear, however, what action Google may take on the matter.

"We're investigating reports we've received on this issue and are committed to shutting down any accounts that violate our guidelines," a Google spokesperson said in an e-mail to InternetNews.com.

Lovet said the Koobface worm also targets another social networking site, MySpace.com, but Facebook is "the target of choice because it's so prevalent." Traffic monitor comScore Networks reported that MySpace had 117.6 million unique users in June, compared to 132.1 million visitors for Facebook.

Picking out the humans

Schnitt added that in most cases, Facebook requires any user submitting a suspicious link to pass a CAPTCHA challenge before the link can be posted on its site, which makes it difficult for the malware to spread.

A CAPTCHA -- short for "Completely Automated Public Turing test to tell Computers and Humans Apart" -- is a program that protects Web sites by generating and grading tests that humans can pass, but computer programs often cannot. A common CAPTCHA involves asking a user to correctly decipher visually distorted text before they can post to a forum or upload a file.

Schnitt also said that Facebook will block any link its system can identify as leading to malware. However, because of the high reputation of Google's Picasa and Reader sites, it's less likely for links like the kind used in the latest attack to be challenged or blocked.

"Detecting these links takes time," Schnitt said.

Fortinet's Lovet warned that attacks redirecting victims to trusted sites like Google where their PCs can be infected will become more prevalent, because spam, a major method attackers use to spread malware, is blocked at the e-mail gateway or mail server or client level -- forcing hackers to seek out alternatives.

However, Schnitt added that even slowing down the spread of malware using a CAPTCHA can help thwart attackers.

"The bad guys want to infect lots of people, and when they're infecting one person at a time through the CAPTCHA it isn't profitable," he said.

Update adds response from Google.