Zeus Trojan spreads when user views 'photos'; Facebook now blocking malicious domains spreading the attack.
A worm spreading via Facebook infects victims with a variant of the dangerous Zeus Trojan. The attack, which was first found by researchers at CSIS in Denmark, spreads via phony posts from an infected Facebook user's account that pretends to contain photos.
Like previous Facebook scams, it uses stolen account credentials to log in and then spam the victim account's "Friends" with the malicious posts. While a screenshot of the file appears to have a .jpg suffix, it's really a malicious screensaver file, according to Jovi Umawing, a security expert at GFI Software.
"The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as Oracle VM VirtualBox and VMWare." If you are using any virtual machine then it will infect your current OS.
Facebook has blocked the offending domains spreading the Trojan. "We are constantly monitoring the situation and are in the process of blocking domains as we discover them. We have internal systems in place configured specifically to monitor for variations of the spam and are working with others across the industry to pursue both technical and legal avenues to fight the bug," a Facebook spokesperson says.
"Facebook is built to easily allow people to share pictures, videos, and other content -- and people trust what they are receiving from their friends," says Mike Geide, senior security researcher at Zscaler ThreatLabZ Malware. "[For example], this recent example can take advantage of the sharing mechanisms and user's trust of their friends within social networking."
Meanwhile, new research published today from Norman ASA found that Zeus-based attacks are actually on the decline this year: While there were 20,000 Zeus-related incidents in January, according to Norman, there were "nearly negligible levels" of Zeus threats discovered in September.