YNOT – Security researchers are warning Facebook users about a self-replicating software worm that spreads rapidly and can have embarrassing consequences.The worm shows up on a user’s Facebook Wall as an image of a scantily clad young woman bearing the message “Wanna C somthin’ HOT!?? Click Da’ Button, Baby!” Clicking the image not only transports the victim to a pornography site, but also posts a copy of the image on the victim’s Facebook Wall in an effort to entice all of his or her friends, as well.

“The attack is what’s known as Cross Site Request Forgery (CSRF), which is a pretty tricky attack, but the basic idea is that a malicious site tricks the innocent site into doing something it didn’t intend to, such as, in this case, updating the victim’s profile and status with the malicious link,” Chief Research Officer Roger Thompson wrote on antivirus vendor AVG’s blog.

CSRFs are particularly sneaky little bits of work, because they are able to impersonate a user while he or she is logged into the site on which the trigger appears. Because a fix involves tweaking the underlying code of the affected site, Facebook will have to take action to kill the “Da’ Button” worm. However, despite several AV experts weighing in with the opinion about the type of attack “Da’ Button” represents, Facebook has classified the attack as “clickjacking,” not a worm. Clickjacking owes its existence to a fundamental HTML design feature that allows websites to embed content from other websites. As such, Facebook noted in a prepared statement, there is little the popular social-networking site can do to prevent the spread of “Da’ Button.” Instead, Facebook suggested users think carefully before they click on anything. [Duh. –ed.]

“We’ve taken action to block the URL (Uniform Resource Locator) associated with this [attacking] site, and we’re cleaning up the relatively few cases where it was posted,” the Facebook statement noted. “Overall, an extremely small percentage of users were affected.”

Nick Fitzgerald, a threat researcher for AVG, said “Da’ Button” likely is a revenue generator for its creators, who evidently make money as an affiliate of the porn site to which victims are routed.

“It may be difficult for Facebook to fix reliably,” Fitzgerald told PCWorld. “Regardless, it is a worm.”

And its design and placement in a sea of other images among which a suggestive image hardly stands out as threatening makes “Da’ Button” a particularly effective example of social engineering. Even a security researcher was caught up in the scam.

“This shows that even experts can become complacent and trust systems when they really shouldn’t,” honest-though-embarrassed independent security guru Gadi Evron wrote on the DarkReading.com blog.