Facebook Worm: ZeuS is not your (FB) Friend

Danish security company CSIS have reported a worm that really does spread through Facebook, unlike some of the malware we’ve seen described in hoaxes recently. Peter Kruse tells us that the worm logs in as the owner of the infected system and spams messages to his or her friends. The message consists of a link to a .il (Israel) web page and relies on social engineering to lure the victim into downloading a program that passes itself off as a screensaver (see screenshot below).

However, the program actually drops what Peter describes as a “cocktail” of malware onto the victim’s machine, including a variant of the data-steal ZeuS trojan. (A cocktail is a term sometimes used by AV companies to describe multiple infections on a single system.)

Peter’s blog quotes a VirusTotal report (unlinked) that indicated that only two companies are detecting the worm. In fact, a VT report for what appears to be the same sample indicates that 20/43 companies detect it. However, it’s unsafe to assume that such a report is a 100 percent accurate reflection of product detection: VT has itself pointed out that its purpose is to evaluate possible malware (i.e. as malicious or non-malicious, not as an accurate appraisal of comparative product performance.

This is a case in point: while the report linked above suggests that NOD32 doesn’t detect the sample with the hash value 9447efa2da188dff6d0df78a43080836, in fact ESET has detected it proactively/generically as Win32/Injector.LML since the 29th November. (At the next update there will be a more specific detection identifying it as Win32/TrojanDownloader.Small.PFD.)

David Harley CITP FBCS CISSP
ESET Senior Research Fellow


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s