Simply Security - News, Views, and Opinions from Trend Micro

Posted on June 15th, 2012 in Cybercrime, Internet Safety by Simply Security | Be the first to comment | Tags: cybercrime, Internet Safety

A new software extension program allows developers to make software compatible across all platforms, but hackers are already using the same template to make malware.

A new software extension program allows developers to make software compatible across all platforms, but hackers are already using the same template to make malware. Crossrider, a cloud-based software suite created to help app developers easily program for support across multiple browsers, has only been around for short while, but hackers are already making use of it.

Facebook face-off

Dubbed 'LilyJade' by its author, the first malware worm borne of Crossrider is surfing Facebook pages to find its way onto personal computers, according to a report by PCWorld. Utilizing a click-fraud strategy, this worm hijacks ads on Yahoo, YouTube, Bing and other leading sites to earn cash for whomever created the program. LilyJade is specifically targeting Facebook users, however, by sending them spam messages in order to embed an exploit kit called Nuclear Pack, which will install itself in a user's Java, Flash or Adobe framework and farm clicks without the user knowing.

Updating and outdating

The worm represents the first of its kind, using a legitimate cross-platform development software to create a bug that runs as a browser extension. It feeds on the weaknesses present in outdated versions of these programs in order to embed and install itself, according to malware expert Sergey Golovanov. He wrote in a recent blog post that LilyJade's uniqueness may make users more susceptible to picking it up.

Because the worm can easily jump from Mozilla to Internet Explorer to Safari and beyond, and is able to infect and control Linux, Apple and Windows operating systems, the LilyJade code is for sale on some websites for upwards of $1,000, according to Computerworld. It's also able to dodge antivirus programs, making it even harder to identify and remove, and therefore more valuable to hackers and scammers online.

"It is quite rare to analyze a malicious file written in the form a cross-platform browser plugin," Golovanov said recently on his blog. "It is, however, even rarer to come across plugins created using cross-browser engines."

The threats grow

LilyJade isn't the first worm to use social networking, meaning data security visibility isn't totally lost here. A recent report showed that Facebook and Twitter are now contending with a new version of their old spam nemesis W32.Wergimog. Now in its second stage, Wergimog.B hijacks accounts in order to increase spam output while destroying competing worms and viruses. There's no word if Wergimog will take on LilyJade, but with the two bugs operating in the same social network, it's likely they'll have mutual friends on their affected user lists.