Top Menu

Cross-browser worm uses Facebook as host

New malware dubbed LillyJade threats multiple browser systems

The Javascript framework Crossrider uses a unified application programming interface (API) for the three major browsers: Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox. The API was originally intended to help developers produce code which will run on different browsers and, by operation, differing operating systems. The Crossrider framework is still in beta form and is slated to add Safari support soon. Unfortunately, its ability to work on all browsers and OSes has proved too tempting to cyber criminals. Malware authors have created code that exploits Crossrider to enable a click-fraud worm to propagate through Facebook. According to antivirus software developer Kaspersky Lab’s security researchers, this is a very rare instance of malware being written for cross platform browser plugins.

The malware, dubbed LillyJade, is currently being peddled on underground hacker forums for $1,000 USD. The malware’s author says that it can infect not just Windows machines but also Mac and Linux systems since it does not contain executable files. Antivirus programs are designed to look for executables. The malware’s goal is to spoof clicks on ads at Facebook, Google, AOL, Bing/MSN, Youtube, and Yahoo. When users infected by the malware view pages that have ads from these networks, the cyber criminal who implanted the malware earns affiliate program income.

The malware spreads by piggybacking on infected browsers’ open Facebook sessions. It uses Facebook to churn out spam messages using the browser operators’ facebook accounts. The spam contain links to attack sites which use the Nuclear Pack exploit. Exploit kits like Nuclear Pack scan the attack site visitors’ computers for vulnerabilities. The most susceptible are users with unpatched or non-updated browser plug-ins like Adobe Reader, Flash Player, and Java. If the exploit kit detects an unpatched computer, it loads it with malware.