The malware, dubbed LillyJade, is currently being peddled on underground hacker forums for $1,000 USD. The malware’s author says that it can infect not just Windows machines but also Mac and Linux systems since it does not contain executable files. Antivirus programs are designed to look for executables. The malware’s goal is to spoof clicks on ads at Facebook, Google, AOL, Bing/MSN, Youtube, and Yahoo. When users infected by the malware view pages that have ads from these networks, the cyber criminal who implanted the malware earns affiliate program income.
The malware spreads by piggybacking on infected browsers’ open Facebook sessions. It uses Facebook to churn out spam messages using the browser operators’ facebook accounts. The spam contain links to attack sites which use the Nuclear Pack exploit. Exploit kits like Nuclear Pack scan the attack site visitors’ computers for vulnerabilities. The most susceptible are users with unpatched or non-updated browser plug-ins like Adobe Reader, Flash Player, and Java. If the exploit kit detects an unpatched computer, it loads it with malware.