14 DAY TRIAL // Security researchers from Kaspersky warn that a new instant messaging worm abuses Facebook's open redirect script in order to add legitimacy to rogue links.
Known as Zeroll and detected as IM-Worm.Win32.XorBot.a by Kaspersky's anti-malware products, the worm spreads via Yahoo! Messenger by posting multi-language spam messages.
The messages usually reference a photo and different variants were seen in English, German, Dutch and Romanian. "This is the funniest photo ever! [link]" or "seen this?? :D [link]" are just two examples.
The links are of the form http://www.facebook.com/l.php?u=[removed].org/Jenny.jpg. The http://www.facebook.com/l.php is an open redirector, a script through which Facebook redirects users when they click on external links.
On their way out, users get to see a Facebook page advising them of phishing and malware download risks when browsing third party websites.
The target URL is passed to the l.php script as the value of the u= parameter. Kaspersky researchers warn that the Jenny.jpg part can also vary. Links ending in Girls.jpg and Marisella.jpg have also been spotted.
However, despite the .jpg termination, the links do not lead to an image as one might expect. Instead they serve a file called PIC1274214241-JPG-www.facebook.com.exe for download.
When ran, this executable downloads another file called srce.exe and opens an image depicting two attractive women in order to avoid raising suspicion.
The use of Facebook's open redirect script in attacks is not new, but it isn't very common either, despite the fact that it can help avoid detection from basic spam filters and add legitimacy to the links.
"And even though people already know they shouldn’t just click any old links, even if it was sent by someone on their contact list, it’s worth reminding everyone again. If nothing else, cybercriminals are creative, and the Zeroll spam once again confirms this," says Vyacheslav Zakorzhevsky, a security expert at Kaspersky Lab.