14 DAY TRIAL // Security researchers warn of a worm that spreads by posting spam messages via Facebook chat in an attempt to trick users to download and run a malicious executable.
The malware hijacks Facebook accounts from infected computer and spams users in their friend lists.
The rogue messages promise users access to an intriguing photo in order to lure them to an app.facebook.com/[censored] page.
When opening this page visitors are immediately prompted to download a file called FacebookPhotos#########.exe (where # stands for a random digit).
A message claims that "this photo has been moved to another location" and encourages users to click a "View Photo" button.
The button acts as a failsafe mechanism and triggers the download prompt again, just in case the user dismissed the first dialog.
If downloaded and ran, the .exe file installs what appears to be a new Palevo variant, which at the time of writing this article, has an above average detection rate on VirusTotal.
Palevo is a family of worms that normally spread via instant messaging applications like Windows Live Messenger, Yahoo! Messenger or Skype.
It was the malware behind Mariposa (Butterfly), the largest botnet on the Internet when it was dismantled by the Spanish authorities last year.
"It is really unfortunate that Facebook scams are moving back towards spreading malware," says Chester Wisniewski, a senior security advisor at Sophos.
"[...] There are probably many more applications like this one making the rounds, so, as always, beware of unusual messages from friends whether they are in email, on their walls, or in an instant message," he adds.
Even though profile walls remain the most common conduit for spam on Facebook, scammers have been increasingly abusing the chat feature in recent months.
This Palevo variant is not even the first worm to spread like this. In November, security researchers from Trend Micro warned of an IRC bot exhibiting a very similar propagation mechanism.