The malware works its way onto users’ personal computers when they click on infected links in Orkut scrapbook pages.
Free Web hosting service was being used by hackers trying to steal money.
A new Internet worm capable of stealing bank details and other personal data from users is circulating via Orkut, Google Inc.’s social networking service, a computer security company warned.
Security vendor Websense warned recently that a Trojan horse is being hosted on a site with the same IP (Internet protocol) address as the main Google Pages Web site…
Instant-messaging service provider FaceTime Communications said its software security lab had detected the spread of the electronic virus, the third such threat to disseminate itself via messages posted on Orkut users personal Web pages.
Google’s service, while available globally, is wildly popular among Brazilians which make up the bulk of its users.
Trojan horses present themselves as legitimate programs but actually conceal malicious code inside. They can be engineered to steal information from computers and are frequently spread by unsolicited e-mails or via instant messaging (IM) links.
The malicious program, dubbed by FaceTime as "MW.Orc," works its way onto users’ personal computers when they click on infected links on Orkut scrapbook pages. The link is followed by a message in Portuguese that entices the user to click.
Once the link is activated, a file is uploaded to the PC, according to a description of how the worm works contained in a statement by the Foster City, California-based company.
When infected Orkut users using Microsoft Corp.’s widely used Windows XP operating system to find personal files on their PCs through their "My Computer" icon, that triggers an e-mail back to the creator of MW.Orc creator filled with personal information stored on the PC, FaceTime said.
No Attack Underway
The Trojan appears to have been noticed before its authors have managed to launch an attack, Websense said. The company has not yet detected e-mails or IM links leading back to the Trojan, which is designed to steal bank details relating to certain financial institutions.
The new threat to Orkut follows an earlier worm, Banker-BWD, which was uncovered by Sophos, an anti-virus company.
That malicious software also disseminated itself through Orkut’s scrapbook pages, but automatically transferred the victims to fake Web pages of banks in order to entice the users to enter personal data that can then be stolen by the hackers.
The Trojan, also known as a "keylogger" for its ability to record keystrokes, is programmed to know when a user visits a bank site, and to then activate the keystroke recording function, said Ross Paul, a senior product manager at Websense.
Criminals often use free hosting services to post dangerous code, Paul said. "Anywhere there is anonymous access to create content is a pretty useful tool for criminals," he said.
Google said that it is aware of this issue and will have a temporary fix in place. We are working on a more permanent solution for users to guard against these malicious efforts, the company said.
The Trojan’s file size has been reduced using ASPack, a file compression tool.
In recent days, Orkut has published an alert on scrapbook pages, which warns users to be careful when opening links sent by unknown users of Orkut and to avoid clicking on links to pages outside of Orkut’s own domain at http://www.orkut.com.
Orkut has around 21.1 million users, 68.56 percent of whom are identify themselves as Brazilians, 12.26 percent as living in the United States and 5.32, who say they live in India.
According to the Brazilian Banks Federation (Febraban), the use of Internet banking services by Brazilians jumped 45.3 percent 26.3 million in 2005 over 2004, representing a major portion of all online users in South America’s largest nation.
Estimates from Brazilian Internet industry are that Brazil has around 31 million Web surfers.
Within hours of its launch in February the service was taken down due to overwhelming demand. It was restored three days later.
In a statement, Google said that "Orkut.com users and users of all online services and applications should always be careful when opening or clicking on anything suspicious."
Separately, Google told Brazilian authorities in May that it would shut down community pages created by Orkut users that promote violence, terror or the sexual abuse of children.