Facebook is attempting to nip in the bud a new social networking worm that spreads via an application built to run seamlessly as a plugin across multiple browsers and operating systems. In an odd twist, the author of the program is doing little to hide his identity, and claims that his “users” actually gain a security benefit from installing the software.
At issue is a program that the author calls “LilyJade,” a browser plugin that uses Crossrider, an emerging programming framework designed to simplify the process of writing plugins that will run on Google Chrome, Internet Explorer, and Mozilla Firefox. The plugin spreads by posting a link to a video on a user’s Facebook wall, and friends who follow the link are told they need to accept the installation of the plugin in order to view the video. Users who install LilyJade will have their accounts modified to periodically post links that help pimp the program.
The goal of LilyJade is to substitute code that specifies who should get paid when users click on ads that run on top Internet properties, such as Facebook.com, Yahoo.com, Youtube.com, Bing.com, Google.com and MSN.com. In short, the plugin allows customers to swap in their own ads on virtually any site that users visit.
I first read about LilyJade in an analysis published earlier this month by Russian security firm Kaspersky Labs, and quickly recognized the background from the screenshot included in that writeup as belonging to user from hackforums.net. This is a relatively open online hacking community that is often derided by more elite and established underground forums because it has more than its share of adolescent, novice hackers (a.k.a. “script kiddies”) who are eager to break onto the scene, impress peers, and make money.
It turns out that the Hackforums user who is selling this plugin is doing so openly using his real name. Phoenix, Ariz. based hacker Dru Mundorff sells the LilyJade plugin for $1,000 to fellow Hackforums members. Mundorff, 29, says he isn’t worried about the legalities of his offering; he’s even had his attorney sign off on the terms of service that each user is required to agree to before installing it.
“We’re not forcing any users to be bypassed, exploited or anything like that,” Mundorff said in a phone interview. “At that point, if they do agree, it will allow us to make posts on their wall through our system.”
Mundorff claims his software is actually a benefit to Facebook and the Internet community at large because it is designed to also remove infections from some of the more popular bot and Trojan programs currently for sale on Hackforums, including Darkcomet, Cybergate, Blackshades and Andromeda (the latter being a competitor to the password-stealing ZeuS Trojan that hides behind Facebook comments). Mundorff maintains that his plugin will result in a positive experience for the average Facebook user, although he acknowledges that customers who purchase LilyJade can modify at will the link that “users” are forced to spread, and may at any time swap in links to malware or exploit sites.
Dozens of customers who bought or trialed LilyJade posted statistics to Hackforums that purport to show the plugin spreading virally to tens of thousands of users per day. According to Mundorff, customers who use the system can expect to make about 50 cents per hour for every 100 users who install the plugin.
It’s impossible to verify those numbers or to say exactly how many Facebook users have installed this browser plugin. But the plugin has apparently been successful enough to have caught the attention of Facebook’s security team, which earlier this week sent Mundorff a cease-and-desist order demanding that he stop selling the program.
“Plugins such as LilyJade are configured to modify our [site] to inject ads and/or send spam through Facebook to the victim’s friends via wall posts and chat messages,” said Fred Wolens, public policy manager at Facebook. “These alterations materially change people’s Facebook experience and bypass Facebook’s quality and security controls. Additionally, programs like LilyJade can make Facebook slower, cause user confusion and can obfuscate authenticate user content by displaying banner ads.”
In a follow-up instant message conversation, Mundorff indicated that he has no intention of bowing to Facebook’s demands.
“I pretty much told them to go fuck themselves cause we cant post on anyones [sic] walls with out there [sic] permissions automated or not,” Mundorff said. “So they can go to hell.”
It remains to be seen who will prevail in this now-public battle (which according to Mundorff has since caught the interest of the anarchic hacker collective Anonymous). I wanted to call attention to this topic because I believe LilyJade is likely the precursor to a stream of malicious cross-browser plugins that we can expect in the coming months and years.
Plugin based threats seem to be especially pernicious because they work seamlessly across multiple operating systems and browsers, and are unlikely to be detected as malicious by antivirus software. What’s more, writing malicious plugins for different browsers has never been easier: Kango, an up-and-coming cross-browser plugin development environment that’s competing with Crossrider, supports plugins on even more browsers, including Opera and Safari.
The purpose of this post is not to cause alarm about legitimate development platforms like Crossrider and Kango, or even to dissuade people from using Facebook. It’s also true that rogue browser plugins are hardly a new problem, and that they can spread just as easily on Facebook as on Twitter, Pinterest or any other community where millions of users gather to share information. Rather, I wanted to remind readers that while modern malware can take many forms, it most often succeeds because computer users agree to install it in one form or another.
When in doubt, always consider Rule #1 from Krebs’s 3 Basic Rules for Online Safety: “If you didn’t go looking for it, don’t install it!” Religiously observing this advice will likely keep you safe from a huge percentage of the malware threats out there today.