Wayne Huang and his Armorize team have discovered a massive drive-by download that has infected more than 90,000 sites.
Some bullet points sent to me by Joe Franscella, who handles PR for the security vendor:
•Google has indexed over 90,000 infected sites
•The malicious domain is shown in the blog: willysy.com (do not visit, you may get infected)
•The attack targets osCommerce sites — Open Source eCommerce solutions used by over 249,000 online store owners
The Armorize malware blog includes multiple screen shots and code samples that illustrate the findings. Among other points:
--There's been a mass scale injection ongoing recently, with the injected iframe pointing to willysy.com. Google indicates more than 90,000 infected pages (note it's pages not domains).
--Browser exploits used:
CVE-2010-0840 -- Java Trust
CVE-2010-0188 –- PDF LibTiff
CVE-2010-0886 -– Java SMB
CVE-2006-0003 -– IE MDAC
CVE-2010-1885 – HCP
1. Infected website is injected with one of several scripts:
2. Browser loads http://willysy.com/images/banners/, redirected (302) to http://papucky.eu/ext/
3. Contents of papucky.eu/ext/ is here on pastebin, loads javascript from http://gooqlepics.com/include.js?in=864
4. javascript here on pastebin, decodes to this, generates iframe pointing to:
http://yandekapi.com/api?in=864
5. Contents of http://yandekapi.com/api?in=864 is here, redirects to: http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV
6. Contents of http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV is here, decodes to this. This includes multiple browser exploits.
7. After successful exploitation, browser downloads and executes malware from here:
http://46.16.240.18/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacotThanks to the folks at Armorize for flagging this.
--Bill Brenner
one-stop view of latest business threats. We created it for you! Bookmark it! Use it!
CSO's Daily Dashboard gives you a