New Facebook Worm Spreads

By Brian Prince  |  Posted 2009-11-23 Print this article Print

When, oh when, will it be safe to view Internet porn?

All jokes aside, on Nov. 23 AVG Technologies reported a new worm targeting Facebook users. The worm spreads by putting an alluring picture of a woman on the profile pages belonging to people it infects. The picture will also appear in the person's News Feed.

If you click the picture, it takes you to a malicious site that will ask you to click on a picture if you "want 2 c something hot."

Unfortunately, all the user gets is a worm.

"This worm uses what is technically known as a CSRF (Cross-Site Request Forgery, also called XSRF) attack," blogged Nick FitzGerald, emerging threats researcher at AVG. "A sequence of iframes on the exploit page [calls] a sequence of other pages and scripts, eventually resulting in a form submission to Facebook 'as if' the victim had submitted a URL for a wall post and clicked on the 'Share' button to confirm the post."

Facebook however has a different take. According to the social networking site, the is actually an example of clickjacking.

"We've taken action to block the URL associated with this site, and we're cleaning up the relatively few cases where it was posted (something email providers, for example, can't do)," a Facebook spokesperson told eWEEK. "Overall, an extremely small percentage of users were affected. As always, we're asking people not to click on suspicious links, even if they've been sent or posted by friends. You'll find this tip and others on the Facebook Security Page:"

Once you are infected, your profile and status will be updated to show the scantily dressed vixen, and the saga continues. According to Roger Thompson, chief research officer at AVG, the malware does not appear to be tied to Koobface, which continues to target Facebook and other social networks. The aim of the worm seems to be to direct people to adult Websites where someone presumably makes money by getting clicks, he said.

"It's interesting though that such a neat exploit should be 'wasted' on seemingly low returns," he told eWEEK. "One wonders if perhaps other folks have been using it for more nefarious purposes."

Describing the worm as new, Thompson said he was unsure how many people have been impacted so far. He added that AVG tested the worm on Windows and Linux machines running Firefox and found it worked successfully.

As always, the advice is to be careful what you click.

UPDATE: This was updated to include more information from AVG and Facebook. |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel