A cross-browser worm spreading across Facebook is using a commercial cross-browser extension engine. That was the finding made by Kaspersky's Sergey Golovanov who reported on his examination of the "LilyJade" worm. Golovanov found that a system called Crossrider is used by LilyJade. Crossrider allows developers to write extensions for the browser to its own API and then allows that code to work as a portable extension on Internet Explorer (version 7 or later), Chrome and Firefox.
The LilyJade malware's actual payload appears to be focused on click fraud, spoofing ad modules on Yahoo, YouTube, Bing/MSN, AOL, Google and Facebook. It also has a Facebook-based proliferation mechanism which spams users with a "Justin Bieber in car crash" style message complete with link to a location where a user can be infected.
LilyJade is available on malware markets for around $1000. Kaspersky's Golovanov calls it "an excellent example of Malware 2.0-class programs based on modern web technologies, using social networks to propagate themselves and generating illegal incomes for their owners by spoofing various services." He also points out that the Crossrider creators' API, which currently supports Facebook, will soon also support Twitter.