A cross-browser worm spreading across Facebook is using a commercial cross-browser extension engine. That was the finding made by Kaspersky's Sergey Golovanov who reported on his examination of the "LilyJade" worm. Golovanov found that a system called Crossrider is used by LilyJade. Crossrider allows developers to write extensions for the browser to its own API and then allows that code to work as a portable extension on Internet Explorer (version 7 or later), Chrome and Firefox.

But when you have malware as a portable extension it can also infect browsers running on Linux or Mac OS X as well. Most AV software will not look for it as it is purely JavaScript and doesn't try to leave the browser. Malicious extensions are not new but have traditionally been written to target a particular browser – by using the Crossrider cross-browser extension kit, the LilyJade authors have ensured the maximum coverage for their MitB (Man in the Browser) attack.

The LilyJade malware's actual payload appears to be focused on click fraud, spoofing ad modules on Yahoo, YouTube, Bing/MSN, AOL, Google and Facebook. It also has a Facebook-based proliferation mechanism which spams users with a "Justin Bieber in car crash" style message complete with link to a location where a user can be infected.

LilyJade is available on malware markets for around $1000. Kaspersky's Golovanov calls it "an excellent example of Malware 2.0-class programs based on modern web technologies, using social networks to propagate themselves and generating illegal incomes for their owners by spoofing various services." He also points out that the Crossrider creators' API, which currently supports Facebook, will soon also support Twitter.

(djwm)