CSIS have reported a worm that really does spread through Facebook…but it’s unsafe to use VirusTotal to compare product detection.
Danish security company CSIS have reported a worm that really does spread through Facebook, unlike some of the malware we’ve seen described in hoaxes recently. Peter Kruse tells us that the worm logs in as the owner of the infected system and spams messages to his or her friends. The message consists of a link to a .il (Israel) web page and relies on social engineering to lure the victim into downloading a program that passes itself off as a screensaver (see screenshot below).
However, the program actually drops what Peter describes as a “cocktail” of malware onto the victim’s machine, including a variant of the data-stealing ZeuS trojan.
(A cocktail is a term sometimes used by AV companies to describe multiple infections on a single system. Or, as my colleague Stephen Cobb points out, a well-deserved after-hours beverage, shaken, not stirred – though personally I prefer a margarita to anything with Martini. That would be tequila, not a pizza.)
Peter’s blog quotes a VirusTotal report (unlinked) that indicated that only two companies are detecting the worm. In fact, a VT report for what appears to be the same sample indicates that 20/43 companies detect it. However, it’s unsafe to assume that such a report is a 100 percent accurate reflection of product detection: VT has itself pointed out that its purpose is to evaluate possible malware (i.e. as malicious or non-malicious), not as an accurate appraisal of comparative product performance.
This is a case in point: while the report linked above suggests that NOD32 doesn’t detect the sample with the hash value 9447efa2da188dff6d0df78a43080836, in fact ESET has detected it proactively/generically as Win32/Injector.LML since the 29th November. (At the next update there will be a more specific detection identifying it as Win32/TrojanDownloader.Small.PFD.)
David Harley CITP FBCS CISSP
ESET Senior Research Fellow