Like previous Facebook scams, it uses stolen account credentials to log in and then spam the victim account's "Friends" with the malicious posts. While a screenshot of the file appears to have a .jpg suffix, it's really a malicious screensaver file, according to Jovi Umawing, a security expert at GFI Software.
"Once run, it drops a cocktail of malicious files onto the system, including ZeuS, a popular Trojan spyware capable of stealing user information from infected systems," Umawing wrote in a blog post today. "The worm is also found to have anti-VM capabilities, making it useless to execute and test in a virtual environment, such as Oracle VM VirtualBox and VMWare."
Facebook has blocked the offending domains spreading the Trojan. "We are constantly monitoring the situation and are in the process of blocking domains as we discover them. We have internal systems in place configured specifically to monitor for variations of the spam and are working with others across the industry to pursue both technical and legal avenues to fight the bug," a Facebook spokesperson says.
The worm plays perfectly into Facebook's environment, security experts say.
"Facebook is built to easily allow people to share pictures, videos, and other content -- and people trust what they are receiving from their friends," says Mike Geide, senior security researcher at Zscaler ThreatLabZ Malware. "[For example], this recent example can take advantage of the sharing mechanisms and user's trust of their friends within social networking."
Meanwhile, new research published today from Norman ASA found that Zeus-based attacks are actually on the decline this year: While there were 20,000 Zeus-related incidents in January, according to Norman, there were "nearly negligible levels" of Zeus threats discovered in September.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.