Facebook ‘sexiest video’ malware spreading virally

If you get a posting on your Facebook wall telling you “this is without doubt the sexiest video ever! 😛 😛 :P” which seems to be accompanied by a video titled “Candid Camera Prank [HQ]” then don’t click on the video: it’s a lead-in to malware. Many “friends” sent them to me yesterday. Clicking the link will take you to what seems like a Facebook application which then tells you that your video

 player is out of date – and encourages you to download a file. 

If you do, then the same “video” plus link gets posted using your avatar to al your friends on Facebook -– meaning it is spreading virally.

It’s not clear at present whether Facebook has acted to halt it. You should, however, expect that it will mutate in the coming hours/days (depending on how determined the virus writer is), so it might not be exactly that message or video frame. The key element in the attack is that it tells you to download a file. 

At Sophos, Graham Cluley notes that: 

    “Judging by the number of messages posted on Facebook, thousands of people received this attack. If you were one of them, you should scan your computer with an up-to-date anti-virus, change your passwords, review your Facebook application settings, and learn not to be so quick as to fall for a simple social engineering trick like this in future.” 

The file seems to install a piece of adware called Hotbar, which thus generates revenue for the malware writer. (About Hotbar: “displays a dynamic toolbar and targeted pop-up ads based on its monitoring of Web-browsing activity. The toolbar appears in Internet Explorer and Windows Explorer. The toolbar contains buttons that can change depending on the current Web page and keywords on the page. Clicking a button on the toolbar may open an advertiser Web site or paid search site. Hotbar also installs graphical skins for Internet Explorer, Outlook, and Outlook Express. Hotbar may collect user-related information and may silently download and run updates or other code from its servers.”) 

Microsoft is, separately, strongly encouraging people and companies to stop using Internet Explorer 6, using the argument that “you wouldn’t drink 9-year-old milk, so why use a 9-year-old browser?” 

Though aimed at the Australian market (possibly IE6 has a higher prevalence there due to some geographical quirk), the arguments for abandoning IE6 are stronger than ever, and have been repeated many times – not least on this site (the browser that won’t die, why the NHS can’t get its browser act together). And of course it is widely believed – though so far not confirmed – that IE6 was the vector for an attack against Google by Chinese hackers at the end of last year.