English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Worm 2.0, or LilyJade in action

Sergey Golovanov
Kaspersky Lab Expert
Posted May 21, 12:14  GMT
Tags: Social Networks, Social Engineering
0.2
 

It is quite rare to analyze a malicious file written in the form of a cross-platform browser plugin. It is, however, even rarer to come across plugins created using cross-browser engines. In this post, we will look into a Facebook worm that was written using the Crossrider system – a system still in beta testing.



Image source: http://crossrider.com

How it all began …

While we were monitoring the activity of a certain botnet the other day, we detected a strange installer being downloaded. It established a connection with the site http://stats.crossrider.com, had the application ID 4761, and installed applications into the PROGRAM FILES folder under the name “FACEBOOK LILY SYSTEM”. The Crossrider system is intended for writing unified plugins for Internet Explorer (version 7 onwards), Mozilla Firefox 3.5 and Google Chrome. In this malicious program, the plugin for Google Chrome is the easiest to analyze – it consists of just two lines:



The content of the file extension.js installed into the plugin folder in Google Chrome

The first line loads the regular iQuery functions, and the second loads the main body of the malicious program.



The first line loads the regular iQuery functions, and the second loads the main body of the malicious program.

This malicious program’s main functionality is to spoof ad modules on Yahoo, YouTube, Bing/MSN, AOL, Google and Facebook. Besides, its payload includes a proliferation mechanism that works via Facebook.

Spreading the seeds

The malicious program spreads by publishing spam messages from compromised accounts. This functionality is conveyed by the following code:



The self-propagation code in the malicious program

The links in the spam messages lead to compromised sites, where hidden iframes redirect users to the NuclearPack exploit kit. This kit includes the source installer for this malicious program as well as browser plugins.



Fragment of code from a compromised site

After undertaking a brief analysis of the C&C server, we have also tracked down someone selling this malicious program online; the software was put up for sale on hacking forums just yesterday. The malware was named LilyJade by its creator. The price is $1000; an extra $500 is charged for the source installer.



LilyJade ad on a hacking forum

Conclusion

This malicious program is a an excellent example of Malware 2.0-class programs based on modern web technologies, using social networks to propagate themselves and generating illegal incomes for their owners by spoofing various services.

On their site, Crossrider’s creators announce that API support currently available for Facebook will soon become available for Twitter. Can’t wait for that.


4 comments

Oldest first
Threaded view
 

lebert32

2012 Jun 13, 18:15
0
 

Great Read

Ty for this article.
your day sounds more exciting then mine

Reply    

ToXiiC

2012 Aug 24, 03:22
0
 

Correction

This is the actual "ToXiiC" guy in that picture above. I just wanted to correct this post on something. I was a seller, but I had no idea it was taking people to malicious exploit packs and I thought it was only for adsense monetization. I have no involvement in this and was simply offered a reward for each sale. I am simply an internet marketer and do programming services for people. I do things like PayPal IPNs and other LEGAL stuff for poeple that they aren't capable of doing themselves. All my online activities are whitehat and for monetization. This picture was a screenshot of a post I made on http://ubers.org/ and I actually haven't even signed in to that site since. Please remove this picture of my ubers.org account and contact me at HFToXiiC@yahoo.com if you have any questions or concernes. Once again, I have no involvement in this project and haven't seen 1 piece of code nor did I know it took users to exploit packs. I have no involvement in illegal activities and have nothing to hide and will answer whatever I can.

EDIT: I didn't even write the thread, the maker "CodeCompiler" sent me a copy and paste of the whole thread from another forum that uses the same forum software (MyBB).

~ToXiiC
HFToXiiC@yahoo.com

Edited by ToXiiC, 2012 Aug 24, 03:34

Reply    

Vortex

2012 Aug 24, 03:54
0
 

LOL

I know ToXiiC very well and this thread makes me LOL so much

Reply    

bigfish

2012 Sep 12, 03:28
0
 

How do I get rid of this? I just got one after trying to download the "secure" VPN straight from the Pirate Bay, and this happened. My security software said it blocked it, but there was still a random firefox process running, so I went into task manager and shut it down. I deleted all the files that I got from the Pirate Bay. Is there anything else I should do?

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog