Drive-by download infects more than 90,000 sites, Armorize warns

Wayne Huang and his Armorize team have discovered a massive drive-by download that has infected more than 90,000 sites.

Some bullet points sent to me by Joe Franscella, who handles PR for the security vendor:

•Google has indexed over 90,000 infected sites

•The malicious domain is shown in the blog: willysy.com (do not visit, you may get infected)

•The attack targets osCommerce sites — Open Source eCommerce solutions used by over 249,000 online store owners

The Armorize malware blog includes multiple screen shots and code samples that illustrate the findings. Among other points:

--There's been a mass scale injection ongoing recently, with the injected iframe pointing to willysy.com. Google indicates more than 90,000 infected pages (note it's pages not domains).

--Browser exploits used:

CVE-2010-0840 -- Java Trust

CVE-2010-0188 –- PDF LibTiff

CVE-2010-0886 -– Java SMB

CVE-2006-0003 -– IE MDAC

CVE-2010-1885 – HCP

1. Infected website is injected with one of several scripts:

2. Browser loads http://willysy.com/images/banners/, redirected (302) to http://papucky.eu/ext/

3. Contents of papucky.eu/ext/ is here on pastebin, loads javascript from http://gooqlepics.com/include.js?in=864

4. javascript here on pastebin, decodes to this, generates iframe pointing to:

http://yandekapi.com/api?in=864

5. Contents of http://yandekapi.com/api?in=864 is here, redirects to: http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV

6. Contents of http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV is here, decodes to this. This includes multiple browser exploits.

7. After successful exploitation, browser downloads and executes malware from here:

http://46.16.240.18/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot

Thanks to the folks at Armorize for flagging this.

--Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

Copyright © 2011 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022