May 17, 2012

Facebook is attempting to nip in the bud a new social networking worm that spreads via an application built to run seamlessly as a plugin across multiple browsers and operating systems. In an odd twist, the author of the program is doing little to hide his identity, and claims that his “users” actually gain a security benefit from installing the software.

At issue is a program that the author calls “LilyJade,” a browser plugin that uses Crossrider, an emerging programming framework designed to simplify the process of writing plugins that will run on Google Chrome, Internet Explorer, and Mozilla Firefox.  The plugin spreads by posting a link to a video on a user’s Facebook wall, and friends who follow the link are told they need to accept the installation of the plugin in order to view the video. Users who install LilyJade will have their accounts modified to periodically post links that help pimp the program.

The goal of LilyJade is to substitute code that specifies who should get paid when users click on ads that run on top Internet properties, such as,,,, and In short, the plugin allows customers to swap in their own ads on virtually any site that users visit.

I first read about LilyJade in an analysis published earlier this month by Russian security firm Kaspersky Labs, and quickly recognized the background from the screenshot included in that writeup as belonging to user from This is a relatively open online hacking community that is often derided by more elite and established underground forums because it has more than its share of adolescent, novice hackers (a.k.a. “script kiddies”) who are eager to break onto the scene, impress peers, and make money.

It turns out that the Hackforums user who is selling this plugin is doing so openly using his real name. Phoenix, Ariz. based hacker Dru Mundorff sells the LilyJade plugin for $1,000 to fellow Hackforums members. Mundorff, 29, says he isn’t worried about the legalities of his offering; he’s even had his attorney sign off on the terms of service that each user is required to agree to before installing it.

“We’re not forcing any users to be bypassed, exploited or anything like that,” Mundorff said in a phone interview.  “At that point, if they do agree, it will allow us to make posts on their wall through our system.”

Mundorff claims his software is actually a benefit to Facebook and the Internet community at large because it is designed to also remove infections from some of the more popular bot and Trojan programs currently for sale on Hackforums, including Darkcomet, Cybergate, Blackshades and Andromeda (the latter being a competitor to the password-stealing ZeuS Trojan that hides behind Facebook comments). Mundorff maintains that his plugin will result in a positive experience for the average Facebook user, although he acknowledges that customers who purchase LilyJade can modify at will the link that “users” are forced to spread, and may at any time swap in links to malware or exploit sites.

A LilyJade administrative panel

Dozens of customers who bought or trialed LilyJade posted statistics to Hackforums that purport to show the plugin spreading virally to tens of thousands of users per day. According to Mundorff, customers who use the system can expect to make about 50 cents per hour for every 100 users who install the plugin.

It’s impossible to verify those numbers or to say exactly how many Facebook users have installed this browser plugin. But the plugin has apparently been successful enough to have caught the attention of Facebook’s security team, which earlier this week sent Mundorff a cease-and-desist order demanding that he stop selling the program.

“Plugins such as LilyJade are configured to modify our [site] to inject ads and/or send spam through Facebook to the victim’s friends via wall posts and chat messages,” said Fred Wolens, public policy manager at Facebook. “These alterations materially change people’s Facebook experience and bypass Facebook’s quality and security controls. Additionally, programs like LilyJade can make Facebook slower, cause user confusion and can obfuscate authenticate user content by displaying banner ads.”

In a follow-up instant message conversation, Mundorff indicated that he has no intention of bowing to Facebook’s demands.

“I pretty much told them to go fuck themselves cause we cant post on anyones [sic] walls with out there [sic] permissions automated or not,” Mundorff said. “So they can go to hell.”

It remains to be seen who will prevail in this now-public battle (which according to Mundorff has since caught the interest of the anarchic hacker collective Anonymous). I wanted to call attention to this topic because I believe LilyJade is likely the precursor to a stream of malicious cross-browser plugins that we can expect in the coming months and years.

Plugin based threats seem to be especially pernicious because they work seamlessly across multiple operating systems and browsers, and are unlikely to be detected as malicious by antivirus software. What’s more, writing malicious plugins for different browsers has never been easier: Kango, an up-and-coming cross-browser plugin development environment that’s competing with Crossrider, supports plugins on even more browsers, including Opera and Safari.

The purpose of this post is not to cause alarm about legitimate development platforms like Crossrider and Kango, or even to dissuade people from using Facebook. It’s also true that rogue browser plugins are hardly a new problem, and that they can spread just as easily on Facebook as on Twitter, Pinterest or any other community where millions of users gather to share information. Rather, I wanted to remind readers that while modern malware can take many forms, it most often succeeds because computer users agree to install it in one form or another.

When in doubt, always consider Rule #1 from Krebs’s 3 Basic Rules for Online Safety: “If you didn’t go looking for it, don’t install it!” Religiously observing this advice will likely keep you safe from a huge percentage of the malware threats out there today.

42 thoughts on “Facebook Takes Aim at Cross-Browser ‘LilyJade’ Worm

  1. Wladimir Palant

    Brian, you probably didn’t mean to write “plugin” but rather “extension”. When talking about browsers, the term “plugin” is always associated with NPAPI plugins like Flash. These are always cross-browser (with the exception of Internet Explorer that doesn’t support NPAPI). Extensions are something entirely different as they don’t depend on a website to embed them, they are rather persistent and have access to browser internals. The APIs that can be used by extensions are very different in each browser, hence the Crossrider project.

  2. Jessica Ricks

    Brian why you can’t stop to do this? We are poor foreign students living abroad. Not in rich USA. We wanna eat something.

    Do not think that black market have super-duper profit. This is not true. You mess up our lives! Shame on you… Brian.

    Thank you.

    1. JCitizen

      I think I found one of these clicking on a friends post. When it redirected me, I went ‘home’. I’m not signing up for anything, or allowing any application to jerk me around on FB.

      I primarily joined FB as a business decision, not to get click happy.

    2. JCitizen

      Obviously, I’m not actually communicating with Jessica.

    3. pig

      Jessica Ricks
      your post made my day

  3. MrUnFixit-Maybe

    Not an appropriate time for somebody to be fiddling with FaceBoob’s income streams, is it?

  4. detro

    “Jessica” crawl back in your hole and die, at least when I was a young blackhat we never targeted individual’s, we always preferred rich corporations. Though as your grammar is barely readable I doubt you can do more than sign up with a pay per click affiliate and type ur infoz into a VB program.

    Oh gotta love the “Anonymous has shown an interest” comment, is that supposed to scare people? Are they even still pulling ddos attacks? I had’nt heard that they were targeting users en masse lately, last I checked they were going after companies and high profile targets.

    1. wiredog

      There was a report yesterday, in the ever reputable Slashdot, that anonymous was targeting Pirate Bay.

  5. Dru Mundorff

    Well first off LilyJade is being designed to be a botnet killer so were alot of people are on Facebook and Twitter and Pinterest people blindly don’t understand that these 3 sites are now the most common location to have your identity stolen.
    This is not from users coming in and searching your system they are from Botnets. You check out a fanpage or a application page and you are exploited into these botnets. Facebook security team has done very little to stop this interaction.
    So the result became simple how does one open up the world to being able to stop hackers from hacking people.. Get a group of hackers put them all together make them build out these botnet killers and allow users to have it installed on there computer.. Now your saying whats the cost. Simple.. You can choose to have a popup blocker correct? Yes.. You can choose to have a AD Blocker correct? Yes.. so why cant you choose which ads you see.. So if the cost of you is replacing these ads to be secured from people that would STEAL your credit card information and hurt you why wouldn’t you want to use it.

    Secondly our system is based through a API system that USERS agree to install and Users Agree to have us have the ability to post on there walls on there behalf. We don’t FORCE wall posting. Crossrider is very much against people trying to manipulate the system and So am I! As I have stated with Brian Krebs I don’t thing this is a system I want to see misused. But at the same time while in the development of this system we have taken a fire storm. Did we expect it to spread as well as it has over 30million installs in less then a month. NO!!

    With that said we have sat back and have imported that people are going to use our product maliciously so we have changed up our game to keeping the program available to the public to be able to purchase into for the cost of our servers and so forth at a 1000$ that is not based on the sales of product really but server hosting space and so forth.

    Now if every 100 users allows someone to make .50 cents a hour they are online think about facebook with 500million users online. That with my same pay scale average is 250million a month in advertisement revenue. So why they upset? Simple they are the largest monopoly in the world.
    Now in return lets talk about facebook. They will and do give our your personal information. I know recently moved they tracked down my address to the address.

    Pretty good. Now following that they sent a Cease and Desist! Cool.. for allowing users that agreed to a TOS and then agreed to install my software to allow us to post. Now they want me to stop.. Come on there is MILLIONS OF PEOPLE LOOKING FOR A INCOME IN THE WORLD!! WHATS FACEBOOK DOING?
    That being said if I had the ability to post on anyones wall with out there express knowledge then I would become instantly the largest Advertisement company in the world.

    But really I stand up cause of 1 thing and 1 thing only I am opening up the world to the digital age. If you can get 25000 people to install your system and use it each month you can pay that mortgage you can do it while working another job and make ends meet. If facebook wants to destroy over 20,000+ possible jobs then great but the PEOPLE deserve to have more!
    The People Deserve to be protected and the People deserve to have a voice with out trying to be silenced by Facebook.
    Also Zukerberg should of known you can put “Hack” on your walls if your not going to hire the best to begin with!

    Dru Mundorff
    Creator of LilyJade
    For the People about the People.

    1. BeepBox


      “Now following that they sent a Cease and Desist!”

      You’re own words are contradictory.

      Also your whole post is like a wall of babble so I don’t really understand it but if you’re trying to say that the cost of this package is $1000 to “cover server costs” pull the other one LOL.

  6. Tommy

    Dru please take an English writing course with your ill gotten gains thank you.

  7. JimV

    Yet more excellent reasons not to blindly use any of those platforms identified by clicking on anything that insists on flashing its own gotta-have, instant great-for-you/install-me-now presence that the user didn’t specifically request — Brian, many thanks for the forthright illustration of another serious threat that none of them (or their fanboys and -girlz) wish to acknowledge publicly!

  8. Dru Mundorff

    Sorry at 6am yes I was tired being up 36 hours and even as explained to Brian Krebs sorry for the spelling errors.
    Exe installations are for people that buy installs also known as Pay Per Install. Believe it or not, there are companies that do that kinda stuff.

    I have stated to Brian and MANY others that this system is one of the difference. Lets give a example users can’t install software with my system. The user has to ask permission to post or have any kind of viral spread from the user. Reguardless of how they got the install!!! Incase the install did in fact not agree to having it there they could then be made now well aware of it.

    Then you all can sit back and tag someone for doing something that is helping you as a bad thing. You don’t understand that botkillers (PROTECT YOU) this is something the majority of AV Companies have to detect and remove piece of.. These botnet owners only care to get your info use it sell it and move on.. Now if you could be protected from the most common and rarest bot herders then what. Then you get to spend nightmarish hours trying to get your money back with the bank, credit card companies, paypal.
    So the Majority of you get something so great and its coming at you at the smallest of prices and you chose to stone someone to help. Arrogance is what that is called. And if some skid that gets my system is using it wrong with a botnet it will be killed. Thats the point of the system.
    You don’t understand how and why this is a issue and have the ability to sit back and not understand what this software does to help.. Chances are you are the actual type of person that should install this system. Cause the majority of people couldn’t and wouldn’t know if a real hacker was hacking them or not.
    Its funny how people in glass houses feel they can argue and throw rocks.


    1. Dru2U2

      Nope, still not gettin’ it.

      Try again…

    2. Seymour Butz

      You fail English? That unpossible.

    3. Neej

      I don’t know if you realise it but you’re coming across as an idiot here in these posts. And what’s more an idiot that has the problem of thinking he’s so intelligent that people couldn’t possibly think of him as an idiot (could indicate frequent and regular drug use such as abuse of cannabis or diazapam type compounds).

      If you’d market your product as a security product to users people would take you seriously.

      Instead you market it to people that I’ll (being charitable) refer to as failed blackhat marketers. Failed because I earn hundred of dollars and hour from whitehat possibly greyhat marketing – if I can do it so can anyone else. By stealing ad space from Facebook which BTW has a woeful number of clickthroughs or conversions though if you’re not paying who cares I suppose.

      And then you come on here and try to claim it *isn’t* what I just outlined above because it’s a kind of half-assed security solution. Which is actually removing malware from users computers not because you want as little investigation as possible of possible malware, risking your own being removed, but because you care about fellow Facebook users. Seriously – like I said: drug abuser who doesn’t realise how dumb he looks and just keep ploughing on.

      Oh well in that case SpyEye must not be a banking trojan. No it’s actually an involuntary AV application doing good for the world’s computer users by removing a load of the competitors botnets.

      You’re an idiot that has no idea of how much of an idiot you actually come across as.

  9. Dru Mundorff

    Spyeye has features to get users information. My system does not. My system merely will allow users to have a botnet killer such as spyeye be removed.

    Spyeye- Steals logins / Passwords / Credit Cards / Name / Address/ Emails / ect Along with Zues Andromida and secondly if you don’t want my system great DONT install… ALSO my system can be UNINSTALLED WITH 3 CLICKS !! UNLIKE Any of the other botnet systems out in the world.

    So sir seriously your random incoherant psycho babble to rant on a upcoming product take will actually keep users safe at a cost of ads being exchanged. Period.. We don’t click jack the ads or anything users have that right also.
    So Neej I am not going to argue this any further. People rant that OMG its got the word WORM at the end.. Cool I didn’t add that ever. Then people label you a bad guy cause your a Hacker!
    Cool.. I guess that’s what I get I wouldn’t be treated differently then half the races and religions in the world people always sticking there noses in the air. I am ok with skeptics but Brian Krebs was the first person that actually asked to see something asked for me to share. He was the first to respectfully be shown the difference. So maybe instead of judging ask I am a very reasonable and fair person.

    I respect all groups except people that think they are better then others. So Judge me or Judge me not I can care less if you want to judge my system as being something that could be harmful.. Then stop using a computer cause that could be harmful. Stop using a cell.. if your going to tell me your not that technologically advanced to know it then chances are your the type of person that hackers would happily steal from.

    You will actually find out the majority of people responding to these post are little skiddies or people with tier 2 tech skills. Then I am actually receiving alot of praise as much as people don’t share praise cause it doesn’t sell and get there “Like” count up. But remember you can always ask me questions. Dont Judge the book by its cover yet folks.

    Skype – CodeCompilerhf

    1. BeepBox

      “I can care less if you want to judge my system as being something that could be harmful”

      Funny – I don’t usually write walls of text trying to justify myself in situations where I could care less.

    2. Dru2U2

      “random incoherant psycho babble”

      Dude, that’s oozing from YOUR pores!

  10. Dru Mundorff

    Also every user accepts this TOS for me to install!
    Web Site Terms and Conditions of Use

    1. Terms

    By accessing this web site, you are agreeing to be bound by these
    web site Terms and Conditions of Use, all applicable laws and regulations,
    and agree that you are responsible for compliance with any applicable local
    laws. If you do not agree with any of these terms, you are prohibited from
    using or accessing this site. The materials contained in this web site are
    protected by applicable copyright and trade mark law.

    2. Use License

    Permission is granted to temporarily download one copy of the materials
    (information or software) on Extention Plugins from Crossrider for Lilyjade’s web site for personal,
    non-commercial transitory viewing only. This is the grant of a license,
    not a transfer of title, and under this license you may not:

    modify or copy the materials;
    use the materials for any commercial purpose, or for any public display (commercial or non-commercial);
    attempt to decompile or reverse engineer any software contained on Extention Plugins from Crossrider for Lilyjade’s web site;
    remove any copyright or other proprietary notations from the materials; or
    transfer the materials to another person or “mirror” the materials on any other server.

    This license shall automatically terminate if you violate any of these restrictions and may be terminated by Extention Plugins from Crossrider for Lilyjade at any time. Upon terminating your viewing of these materials or upon the termination of this license, you must destroy any downloaded materials in your possession whether in electronic or printed format.

    3. Disclaimer

    The materials on Extention Plugins from Crossrider for Lilyjade’s web site are provided “as is”. Extention Plugins from Crossrider for Lilyjade makes no warranties, expressed or implied, and hereby disclaims and negates all other warranties, including without limitation, implied warranties or conditions of merchantability, fitness for a particular purpose, or non-infringement of intellectual property or other violation of rights. Further, Extention Plugins from Crossrider for Lilyjade does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on its Internet web site or otherwise relating to such materials or on any sites linked to this site.

    4. Limitations

    In no event shall Extention Plugins from Crossrider for Lilyjade or its suppliers be liable for any damages (including, without limitation, damages for loss of data or profit, or due to business interruption,) arising out of the use or inability to use the materials on Extention Plugins from Crossrider for Lilyjade’s Internet site, even if Extention Plugins from Crossrider for Lilyjade or a Extention Plugins from Crossrider for Lilyjade authorized representative has been notified orally or in writing of the possibility of such damage. Because some jurisdictions do not allow limitations on implied warranties, or limitations of liability for consequential or incidental damages, these limitations may not apply to you.

    5. Revisions and Errata

    The materials appearing on Extention Plugins from Crossrider for Lilyjade’s web site could include technical, typographical, or photographic errors. Extention Plugins from Crossrider for Lilyjade does not warrant that any of the materials on its web site are accurate, complete, or current. Extention Plugins from Crossrider for Lilyjade may make changes to the materials contained on its web site at any time without notice. Extention Plugins from Crossrider for Lilyjade does not, however, make any commitment to update the materials.

    6. Links

    Extention Plugins from Crossrider for Lilyjade has not reviewed all of the sites linked to its Internet web site and is not responsible for the contents of any such linked site. The inclusion of any link does not imply endorsement by Extention Plugins from Crossrider for Lilyjade of the site. Use of any such linked web site is at the user’s own risk.

    7. Site Terms of Use Modifications

    Extention Plugins from Crossrider for Lilyjade may revise these terms of use for its web site at any time without notice. By using this web site you are agreeing to be bound by the then current version of these Terms and Conditions of Use.

    8. Governing Law

    Any claim relating to Extention Plugins from Crossrider for Lilyjade’s web site shall be governed by the laws of the State of LilyJade OpenSource AZ without regard to its conflict of law provisions.

    General Terms and Conditions applicable to Use of a Web Site.

    Privacy Policy

    Your privacy is very important to us. Accordingly, we have developed this Policy in order for you to understand how we collect, use, communicate and disclose and make use of personal information. The following outlines our privacy policy.

    Before or at the time of collecting personal information, we will identify the purposes for which information is being collected.

    We will collect and use of personal information solely with the objective of fulfilling those purposes specified by us and for other compatible purposes, unless we obtain the consent of the individual concerned or as required by law.

    We will only retain personal information as long as necessary for the fulfillment of those purposes.

    We will collect personal information by lawful and fair means and, where appropriate, with the knowledge or consent of the individual concerned.

    Personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up-to-date.

    We will protect personal information by reasonable security safeguards against loss or theft, as well as unauthorized access, disclosure, copying, use or modification.

    We will make readily available to customers information about our policies and practices relating to the management of personal information.

    We will make Post via social networks. Also agreeing to have sole use of our Adsense on your computer online with the ability to content lock any site that you will visit.

    You consent for us to be able to use your information for the basis of our adware product solely for the benifit of the person that connected you to the system.

    We are committed to conducting our business in accordance with these principles in order to ensure that the confidentiality of personal information is protected and maintained.

    1. .

      You spelled ‘extension’ as ‘extention’ so many times.

  11. Dru Mundorff

    And Yes Trolls have to try to degrade something great to make themselves feel better TrollsYourBoat 🙂 its going to happen but you gotta look them directly in the eye and smile at them while giving them the bird 😛

  12. Koby

    I agree with your message about the many forms
    modern malware can take.

    This is an issue we are constantly being faced with where those “script
    kiddies” are constantly trying to abuse modern technologies like
    Crossrider for their own malicious needs.

    I thought you would be interested to know that we are blocking on
    average 3-4 ‘LilyJade’ clones on a weekly basis (among the thousands of
    cross-browser extensions already being created with Crossrider). This
    really demonstrates the situation we are all facing on a daily basis.

    Here at Crossrider, while our goal is to create awesome tools for
    developers, we have zero tolerance for force posting on social networks and we are forced to devote some of our resources to
    monitor and block these type of apps. It is something that has always
    been there and will no doubt continue to be an issue which we have to
    be vigilant of.

    Again, great post and I couldn’t agree more with Rule #1!

    Koby Menachemi
    Founder & CEO, Crossrider

    1. Dru Mundorff

      First off on Crossriders system Koby users have to accept to have and allow users to be able to post with your api is this not correct?

      Secondly if users agree to a ToS to install and allow this why would this be a form of harrasment or spam? Its not.. sparingly this is the system that actually allows people to use and run.

      Thirdly Crossrider is 1 extension system long with Kango and others. If a user agree’s to install the system and allows for a wall post then were does this become a issue?

      We don’t push out Malware its a basis if anything as a adware. Which you yourself Koby have over how many installations ? 🙂 I can read you the facts you stated to me via a email.

      1. Koby

        Hey Dru,

        Crossrider does provide an easy-to-use Facebook API but when you set it up it connects to your Facebook application (it’s not a bypass of their system) and therefore you agree to Facebook’s T&C.

        Agreeing to Facebook’s T&C means you agree not to force status updates… AFAIK, even if your users agree to your ToS, it does not allow you to automatically post on their stream (again, it’s Facebook’s rules that you must comply with when using their API)

        If, for example, you ask your users whether they are willing to spread the word and post to their Facebook stream then you are complying with FB and therefore with Crossrider’s policy as well.


        p.s. – just to avoid any wild guessing re the email you are referring to, I’m attaching my reply to you in here:

        Hi Dru,

        Nice to meet you!

        You can use Crossrider under the free plan up to 1M users and then there is a license fee (or activating monetization tools on a rev-share basis).

        It’s very important to mention that we have very strict rules re type of apps which are allowed on our platform, for example you can not create phishing apps, use brand names as your app name, force posting to social networks, etc.

        If that still interesting for you then I would love to discuss it further (I’m also adding Sharon, Crossrider’s COO, who can provide more info if needed)
        Just to give you some background info: Crossrider has more than 6,000 developers and publishers using its platform with total of more than 50M end-users (we are adding more than 600k end-users on a daily basis). The platform is free as mentioned above but many of our developers are using monetization tools we provide (via 3rd parties).


  13. Kevin

    10 million, 1.5 million, 7 million?

    Why is counting so difficult in the computer age? Regardless, there is no sugar-coating that there were a millions more than there should’ve been.

    1. Kevin

      oops, posted in wrong story. apologies.

  14. Annette

    Dru’s facebook profile says it all, About Dru: I work on finding exploits to allow people to make extremely high profits in the shortest amount of time. Now I find them don’t use them so this is the basis of being a hacker. Ethical cause I choose to not know what others are using for or only want to know the good stuff. 🙂!/CodeCompiler1/info

    1. Richard Huff

      Maybe now you can get No Delay working? 😉

  15. pig

    Dru this guy is waiting for u


    1. MrUnFixit-Maybe

      How come this embedded youboob video from ‘pig’ can put up a rash of additional comments in my web browser when viewing the generated Hotmail email notification online in a browser?

      No, I am not infected (touch wood). It is a ‘feature’ of Hotmail and the carefully crafted original post, isn’t it?

      Wonder if anybody has considered this as yet another way of dropping drive-by infections?

      Would it be delicious for some nefarious types if Brian’s own web blog could be used to infest the ‘aware’ community?

      The most annoying thing is I didn’t need to click on anything to bring up the unwanted stuff.


      Correspondingly, would you ever consider clicking on posts (even here in this blog) that have shortened urls? No, neither would I! Then why do some people persist in using them at all?

      If you cannot be bothered doing a cut-and-paste on a long (and checkable) url, then please don’t bother posting.

  16. Educated

    Hey Dru,

    There != Their

    Just sayin’

  17. Cacing

    Zune and iPod: Most people comarpe the Zune to the Touch, but after seeing how slim and surprisingly small and light it is, I consider it to be a rather unique hybrid that combines qualities of both the Touch and the Nano. It’s very colorful and lovely OLED screen is slightly smaller than the touch screen, but the player itself feels quite a bit smaller and lighter. It weighs about 2/3 as much, and is noticeably smaller in width and height, while being just a hair thicker.

Comments are closed.