Daily cyber threats and internet security news: network security, online safety and latest security alerts
October 31st, 2008

Old Facebook Worm Using New Ways To Spread By Abusing Google Reader And Picasa Websites

Researchers at unified threat management vendor Fortinet noticed that a program similar to the Koobface worm had started using the Google Reader and Picasa websites to spread. In the attack, criminals host images that look like YouTube videos on the Google sites in hopes of tricking victims into downloading malicious Trojan software.

Hackers initially unleashed Koobface in late July, but Facebook’s security team soon slowed its spread by blocking the webites that were hosting the malicious Trojan software. That has prompted the criminals to change tactics. In this latest attack they have hosted files that appear to be YouTube videos on Picasa and Google Reader and used Facebook to send them to victims.

The links appear safe because they go to Google sites, but once the victim arrives on the Google Reader or Picasa page, he is invited to click on a video or a web link. The victim is then told he needs to download special codec decompression software to view the video. That software is actually a malicious Trojan Horse program, which is blocked by most anti-virus programs, according to Facebook.

It could be the cyber-criminals behind Koobface have deliberately misspelled their Facebook messages to further help them evade detection by filters. This latest attack do not use the self-copying worm code that Koobface used last August, but it could easily be added.

Koobface has been a top security concern at Facebook since July. The worm’s creators have used Facebook’s instant messaging feature and also hosted their malicious links on sites such as and Bloglines.

Security experts have long warned that the Web 2.0 mash-up model of allowing users to put together their own content from many different sources naturally creates many security problems. In part, this is because it allows anyone to post material on trustworthy domains such as Google.

Facebook is working with Google to shut down the problem, said Facebook spokesman Barry Schnitt.

Share this item with others:

More on CyberInsecure:
  • New Storm Worm Spam Campaign Mentions FBI And Facebook
  • Facebook Mobile API XSS Vulnerability Used To Launch Spam Worm
  • MySpace And Facebook Users Targeted By New Worms
  • New Security Warning Feature Added On Facebook
  • Facebook Users Can Be Forced Into Liking Arbitrary Pages Through Clickjacking

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Old Facebook Worm Using New Ways To Spread By Abusing Google Reader And Picasa Websites

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.