Public wall posts purporting to be from someone on a user's friends list invite the user to click on some kind of video or image, and the URL appears to lead to something hosted on Google.com. That's a spoof -- it really directs to a grinning photo of a court jester sticking out its tongue -- and a downloaded Trojan. Sophos has not said what the worm then does.
Facebook representatives were not immediately available for comment.
Sophos says that this is probably not the same as a social-network worm that Kaspersky Labs flagged last week, but CNET News has contacted Kaspersky for comment. The two are similar, at least superficially.
Additionally, Sophos says it has not yet completed its investigation of the issue and has said that the worm may not be restricted to Facebook. "Whether this really is a Facebook worm, and not simply malware being distributed via Facebook spam remains to be seen," a blog post by Sophos researcher Fraser Howard read.
In the past, Sophos has warned of social networks' potential as Petri dishes for malicious attacks, and has put out a general warning to companies that security issues might be a graver issue than productivity when it comes to choosing whether to block access to these sites at the office. "Companies need to make their own mind up as to whether they want to allow their users to access websites like Facebook and MySpace during office hours," Sophos analyst Graham Cluley said in a release.
"If workers are allowed to be given access to these sites then it's vital that they do not put their personal and corporate data at risk, and are protected from web-based infections."
Update: Facebook's Response
Facebook security chief Max Kelly has assured members in a blog post that the social network is "fighting the good fight" when it comes to several malware attacks discovered on the site in recent days.
"We spent most of last night working on a fix for a worm, which was targeting people on Facebook and placing messages on walls urging users to view a video that pretends to be hosted on a Google or YouTube Web site," Kelly wrote. "Less than .002 percent of people on Facebook have been affected, all of whom we notified and suggested steps to remove the malware."
The worm was first flagged by security firm Sophos, just days after another one had been identified by Kaspersky Labs.
Kelly said Facebook appreciates the efforts of watchdogs. "If we get a report of a bug or a hole from a user, a security researcher, a reporter, blogger, or anyone, we check it out and fix it as quickly as possible," he wrote. "In fact, we appreciate it when help comes our way from the many security experts and organizations out there."
Sophos and other security firms have warned that social networks such as Facebook and MySpace are particularly rife breeding grounds for security attacks: they have massive user bases, plenty of outside developers working on the site, and lots of ways (messages, wall posts) to spread malware to unwitting members.
Facebook recommends that members follow a few basic security measures: report spam postings, install the proper Mac or Windows software in the event of a malware infection, and never share your Facebook password.
That last piece of advice will be tougher for Facebook to recommend as Facebook Connect, which lets external sites use Facebook login credentials, grows more commonplace.
By Caroline McCarthy