Security researchers at Symantec said that attackers are for the first time using a social networking site -- in this case, Google's Orkut, an online community -- to deliver a self-propagated trojan. The worm is infecting the computers of those on the buddy lists of Orkut users, according to Symantec.
"In the past, we've seen people getting infected links on social networking sites,” Javier Santoyo, senior manager of emerging technologies with Symantec, told SCMagazineUS.com.”But what we have not seen is a self-propagating threat using social networking sites."
The multi-step process requires user interaction, he said, so users of Orkut should "know your friends well enough to know if they're posting messages with links. Just like email and spam, we encourage people to not click on URLs that redirect them to websites, but to type the URL."
With the Orkut trojan, the infection process begins when someone clicks on a "scrap" message from an Orkut user that contains a link, Santoyo said. Clicking the Flash-like image redirects the user's browseer to a malicious website that contains JavaScript, which in turn sends malicious scrapbook message to all users present in the original victim's friends list.
The pop-up screen in the Portuguese language prompts the user to run what appears to be a Flash Player installer, i.e., Instal_flash_player9.7.0.exe. In reality, however, the malicious URL installs the trojan onto the user's system.
That trojan, in turn, downloads a variety of malicious software in this iteration of the attack, Santoyo said. In the future, however, the attacker could deliver a different malicious payload, he noted.
Because the pop-up is in Portuguese, the infection seems limited to Orkut users' computers in Brazil and a few in India, Santoyo said. "But because the threat itself is using a new technique, it's important to get the word out that at this point that the people you know on social networking sites may not necessarily be posting the messages users receive."
According to a Symantec blog posting, the scrap messages use Google domain links to avoid validation by Google's CAPTCHA function, which is the distorted, scrambled character codes used by numerous web operators to block the automatic entry of data into web forms.
"What is interesting in this attack is a redirection URL used to fool Orkut," the blog notes. "This worm uses a redirected URL request from Google video to redirect to the malicious website and escape the CAPTCHA checks."
Santoyo said Symantec had informed Google of the threat. Google did not respond to SCMagazineUS.com's request for comment.
In an update Wednesday to the blog about the Orkut worm, Symantec said "further analysis of the malicious Javascript, along with the assistance of Google's Security team, shows that this threat doesn't expose any unknown vulnerability in Orkut. The program does require user interaction in or to 'scrap' itself to users in the friend's list."
