Facebook Worm: ZeuS is not your (FB) Friend

Danish security company CSIS have reported a worm that really does spread through Facebook, unlike some of the malware we've seen described in hoaxes recently. Peter Kruse tells us that the worm logs in as the owner of the infected system and spams messages to his or her friends. The message consists of a link to a .il (Israel) web page and relies on social engineering to lure the victim into downloading a program that passes itself off as a screensaver (see screenshot below).

However, the program actually drops what Peter describes as a "cocktail" of malware onto the victim's machine, including a variant of the data-stealing ZeuS trojan.

(A cocktail is a term sometimes used by AV companies to describe multiple infections on a single system. Or, as my colleague Stephen Cobb points out, a well-deserved after-hours beverage, shaken, not stirred – though personally I prefer a margarita to anything with Martini. That would be tequila, not a pizza.)

Peter's blog quotes a VirusTotal report (unlinked) that indicated that only two companies are detecting the worm. In fact, a VT report for what appears to be the same sample indicates that 20/43 companies detect it. However, it's unsafe to assume that such a report is a 100 percent accurate reflection of product detection: VT has itself pointed out that its purpose is to evaluate possible malware (i.e. as malicious or non-malicious), not as an accurate appraisal of comparative product performance.

This is a case in point: while the report linked above suggests that NOD32 doesn't detect the sample with the hash value 9447efa2da188dff6d0df78a43080836, in fact ESET has detected it proactively/generically as Win32/Injector.LML since the 29th November. (At the next update there will be a more specific detection identifying it as Win32/TrojanDownloader.Small.PFD.)

ESET Senior Research Fellow

Author David Harley, ESET

  • nietzschean

    hello, I am a college student, major study is CIS network adiministration " securities" got a question
    does the zeus trojan only attack windows based os? there is no other info on the web to do with what OS's are underattack from this threat….. and is this Zeus threat like the Metasploit program?

    • David Harley

      The ZeuS gang is associated with malware commonly known as Zitmo (ZeuS in the mobile), a Trojan that “partners” with the desktop version of ZeuS to extend its functionality across mobile platforms (Android, RIM, Symbian). ZeuS is like Metasploit in that it provides a framework for a certain type of attack rather than a simple botnet, but ZeuS is frankly criminal in intent: it’s not a research tool.

Follow us

Copyright © 2017 ESET, All Rights Reserved.