In order to gain popularity and usability, web browsers offer extra features. Chief among these are browser plug-ins, which can help to attract a greater audience.
These extensions are used by a browser to extend its functionality. Almost all popular browsers support these extensions, which have become one of the most commonly used malware attack vectors. Malware authors have long chosen social networking sites as their favorite breeding ground. A current threat to Facebook users is the LilyJade 2.0 “extension.”
So it begins
A fake YouTube site.
Downloaded malicious scripts.
These malicious extensions send the information to the malware author, including IP address, country, and OS. The malware also reports whether the user is online and the websites viewed.
The malware control server.
The preceding statistics show about 7,837 compromised unique IPs and that about 176 users were online.
The other fields present in the control server:
- IP: Address of the compromised browser
- Country: Location of the compromised browser
- OS: Operating system installed
- URL: The web page currently viewed in the compromised browser
- Status: Whether the compromised browser is available
The malware shows an advertisement copied from one of several websites (Yahoo, YouTube, Bing, AOL, Google, and Facebook) and replaces it with its own advertisement. The Google AdSense ID (in this case “ca-pub-33xx398xxxx84xx1”) is unique for each AdSense user. Replacing the advertisement with a unique AdSense ID will generate more income to the attacker’s account.
The function for replacing ads.
Apart from these leading domains, the malware can also replace advertisements from other websites. The malicious script will check whether the user is viewing pages contain pornography by comparing the keywords listed in the next screen. If the malware finds a match, it will not replace any ads on that page because displaying porn ads or hacking websites using AdSense will lead to an account ban.
Checking whether the website has porn content.
Cybercriminals have a service for selling likes in Facebook. They target mainly small companies, games, or any application that needs more visibility and fans in Facebook. This malicious script also promotes some Facebook pages.
Promoting Facebook pages.
The preceding page belongs to an affiliate that spread this malicious extension. It has received more than 5,000 likes in the last three weeks–that’s a long time for malware like this to remain online.
Spreading in the wild
This version of LilyJade spreads through Facebook and Twitter by posting scam messages from the compromised account. The following code clearly shows its propagation technique.
Propagating through scams.
This version of LilyJade runs only on Firefox, Chrome, and Safari browsers. Our analysis is based on the Firefox extension, which is not a part of the cross-rider framework.
Facebook partnered with McAfee to detect these types of malicious extensions. If any Facebook users suspect that they are infected, then they can check and clean their systems with McAfee Scan and Repair.