Social networking sites, which are as popular as Nickelback and even more annoying, have become favorite playgrounds for malware authors and attackers. We’ve seen attacks using both Facebook and MySpace as a launching pad in recent months, and now it’s Orkut’s turn again. Orkut is Google’s homegrown social networking platform and Symantec researchers have discovered a new worm that is spreading through Orkut by using malicious “scraps” to infect users’ machines. Scraps are graphics and other pieces of content that users employ to communicate with their friends on the site.
The new worm that Symantec is monitoring sends a malicious scrap to all of the people in an infected user’s address book, asking them to click on an image that is supposedly a Flash movie. But, of course, one the user clicks on the link, he is redirected to a malicious site that proceeds to install a number of separate pieces of malware on his machine. The different threats are downloaded from several different domains, and the worm has a couple of other interesting capabilities.
What is interesting in this attack is a redirection URL used to fool Orkut. Orkut shows a CAPTCHA image for human validation whenever any user posts a scrap containing a link and an image. However, CAPTCHA is not used if the URL and image both come from any of the Google domains. This worm uses a redirected URL request from Google video to redirect to the malicious website and escape the CAPTCHA checks.
If you haven’t already blocked access to social networking sites on your network, now might be the time to do it. There’s not much of a legitimate business case to be made for using Facebook or Orkut at work and it looks like attackers have begun to turn their attention to these sites as an easy way to infect large numbers of PCs in a short amount of time.