Internet threat level: 1
Home→Blog→Incidents→May 21 2012→Worm 2.0, or LilyJade in action
Worm 2.0, or LilyJade in action
Kaspersky Lab Expert
Posted May 21, 12:14 GMT
Tags: Social Networks, Social Engineering
It is quite rare to analyze a malicious file written in the form of a cross-platform browser plugin. It is, however, even rarer to come across plugins created using cross-browser engines. In this post, we will look into a Facebook worm that was written using the Crossrider system – a system still in beta testing.
Image source: http://crossrider.com
How it all began …
While we were monitoring the activity of a certain botnet the other day, we detected a strange installer being downloaded. It established a connection with the site http://stats.crossrider.com, had the application ID 4761, and installed applications into the PROGRAM FILES folder under the name “FACEBOOK LILY SYSTEM”. The Crossrider system is intended for writing unified plugins for Internet Explorer (version 7 onwards), Mozilla Firefox 3.5 and Google Chrome. In this malicious program, the plugin for Google Chrome is the easiest to analyze – it consists of just two lines:
The content of the file extension.js installed into the plugin folder in Google Chrome
The first line loads the regular iQuery functions, and the second loads the main body of the malicious program.
This malicious program’s main functionality is to spoof ad modules on Yahoo, YouTube, Bing/MSN, AOL, Google and Facebook. Besides, its payload includes a proliferation mechanism that works via Facebook.
Spreading the seeds
The malicious program spreads by publishing spam messages from compromised accounts. This functionality is conveyed by the following code:
The self-propagation code in the malicious program
The links in the spam messages lead to compromised sites, where hidden iframes redirect users to the NuclearPack exploit kit. This kit includes the source installer for this malicious program as well as browser plugins.
Fragment of code from a compromised site
After undertaking a brief analysis of the C&C server, we have also tracked down someone selling this malicious program online; the software was put up for sale on hacking forums just yesterday. The malware was named LilyJade by its creator. The price is $1000; an extra $500 is charged for the source installer.
LilyJade ad on a hacking forum
Conclusion
This malicious program is a an excellent example of Malware 2.0-class programs based on modern web technologies, using social networks to propagate themselves and generating illegal incomes for their owners by spoofing various services.
On their site, Crossrider’s creators announce that API support currently available for Facebook will soon become available for Twitter. Can’t wait for that.
2012 Jun 13, 18:15
|
|
2012 Aug 24, 03:22
Correction This is the actual "ToXiiC" guy in that picture above. I just wanted to correct this post on something. I was a seller, but I had no idea it was taking people to malicious exploit packs and I thought it was only for adsense monetization. I have no involvement in this and was simply offered a reward for each sale. I am simply an internet marketer and do programming services for people. I do things like PayPal IPNs and other LEGAL stuff for poeple that they aren't capable of doing themselves. All my online activities are whitehat and for monetization. This picture was a screenshot of a post I made on http://ubers.org/ and I actually haven't even signed in to that site since. Please remove this picture of my ubers.org account and contact me at HFToXiiC@yahoo.com if you have any questions or concernes. Once again, I have no involvement in this project and haven't seen 1 piece of code nor did I know it took users to exploit packs. I have no involvement in illegal activities and have nothing to hide and will answer whatever I can. Edited by ToXiiC, 2012 Aug 24, 03:34 |
|
2012 Aug 24, 03:54
|
|
2012 Sep 12, 03:28
How do I get rid of this? I just got one after trying to download the "secure" VPN straight from the Pirate Bay, and this happened. My security software said it blocked it, but there was still a random firefox process running, so I went into task manager and shut it down. I deleted all the files that I got from the Pirate Bay. Is there anything else I should do? |
Analysis
Blog
© 1997-2013 Kaspersky Lab ZAO. All Rights Reserved.
Industry-leading Antivirus Software.
Registered trademarks and service marks are the property of their respective owners.
The authors' opinions do not necessarily reflect the official positions of Kaspersky Lab.