The Latest in IT Security

Facebook Worm: ZeuS is not your (FB) Friend

01
Dec
2011

Danish security company CSIS have reported a worm that really does spread through Facebook, unlike some of the malware we've seen described in hoaxes recently. Peter Kruse tells us that the worm logs in as the owner of the infected system and spams messages to his or her friends. The message consists of a link to a .il (Israel) web page and relies on social engineering to lure the victim into downloading a program that passes itself off as a screensaver (see screenshot below).

However, the program actually drops what Peter describes as a "cocktail" of malware onto the victim's machine, including a variant of the data-steal ZeuS trojan. (A cocktail is a term sometimes used by AV companies to describe multiple infections on a single system.)

Peter's blog quotes a VirusTotal report (unlinked) that indicated that only two companies are detecting the worm. In fact, a VT report for what appears to be the same sample indicates that 20/43 companies detect it. However, it's unsafe to assume that such a report is a 100 percent accurate reflection of product detection: VT has itself pointed out that its purpose is to evaluate possible malware (i.e. as malicious or non-malicious, not as an accurate appraisal of comparative product performance.

This is a case in point: while the report linked above suggests that NOD32 doesn't detect the sample with the hash value 9447efa2da188dff6d0df78a43080836, in fact ESET has detected it proactively/generically as Win32/Injector.LML since the 29th November. (At the next update there will be a more specific detection identifying it as Win32/TrojanDownloader.Small.PFD.)

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments