Facebook, yet another place where worms spread

Yesterday I received a message on facebook from an old friend (Yes I do use facebook, as a great tool to keep in touch with friends and relatives). The message contained a video with the text “WOW Video”. If it would have been posted on his wall instead, I would have been completely unsuspicious. My curiosity drove me to check what this was, so I switched computer.

The webpage www.ourcncc.net/meggac1ips looked as a legitimate facebook page, with a large message showing “Flash player upgrade required”, immediately forcing download.

The executable was in fact Win32/Koobface, which may have one of several payloads, depending on which components are installed on an affected machine. Obviously I didn’t check it out, but it can range from downloading and executing arbitrary files, including additional malware, displaying pop-ups that attempt to persuade users into installing rogue software, starting a webserver or a proxy server. Users with little computer experience will have problem distinguish between a legitimate site and a rouge site, and if you don’t have the latest virus definition installed, you might get caught in these kind of attacks, that can spread fast.
The mental load required to comprehend and accept a pop-up, makes these kind of attacks achievable. The user have been educated that the these message cannot be important, due to the large number of pop-up the user have to accept every day. Instead the user searches for the ok button, to skip the message.


~ by petergullberg on August 18, 2009.

One Response to “Facebook, yet another place where worms spread”

  1. Someone hacked our website at GoDaddy and placed this. I am so mad at the person(s) that did this to our church site. I have cleane dup the files on the server at Go Daddy… I would love to meet the person that did this in a loced room …. All it would take is about 10 seconds to show then how mad I am…..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: