Scareware worm stretches out to Picasa, Google Reader

A Facebook worm wending its way through the address books of unwary users is gaining trust by pointing to two equally trusted sites, researchers warned on Wednesday.

The worm aims to trick the unwary into installing malware on their own systems. That malware is disguised as a new ActiveX video codec.

The worm was first spotted by FortiGuard researchers on Tuesday. At that point, it propagated by sending itself to Facebook friends of infected users, inviting them to visit a shared video (often of the "adult" type) in Google Reader. But clicking on the video produced a fake "Video ActiveX Object Error" message instructing users to "download new version" (note the grammatical error) of ActiveX Object.

The download is -- you guessed it -- another copy of the malware, specifically W32/Zlob.NKX!tr.dldr (aka the Trojan-Downloader.Zlob.Media-Codec); once downloaded and installed, it repeats the vicious cycle.

That was Tuesday's fun. On Wednesday, Fortinet captured a new version of the message, which directs users to yet another Google property, Picasa. The details of execution -- message apparently from a Facebook friend, pointer to well-known site, allegedly shared video, fake error message, nasty download -- remains the same.

Though other payloads are feasible, the payload for the trojan in this infection usually consists of rogue security software. In their most recent "Threatscape Report," released last week, FortiGuard noted that during the period between September 21 and October 20, rogue security software (or "scareware") accounted for the overwhelming majority of the top 10 malware threats seen in the wild.

A FortiGuard analysis over the summer indicated in turn that scareware propagation was seriously on the rise, driving a dramatic increase in overall malware activity online after over a year of relative quiet.