Drive-by download infects more than 90,000 sites, Armorize warns

Wayne Huang and his Armorize team have discovered a massive drive-by download that has infected more than 90,000 sites.

Some bullet points sent to me by Joe Franscella, who handles PR for the security vendor:


•Google has indexed over 90,000 infected sites

•The malicious domain is shown in the blog: willysy.com (do not visit, you may get infected)

•The attack targets osCommerce sites — Open Source eCommerce solutions used by over 249,000 online store owners

The Armorize malware blog includes multiple screen shots and code samples that illustrate the findings. Among other points:

--There's been a mass scale injection ongoing recently, with the injected iframe pointing to willysy.com. Google indicates more than 90,000 infected pages (note it's pages not domains).

--Browser exploits used:
CVE-2010-0840 -- Java Trust
CVE-2010-0188 –- PDF LibTiff
CVE-2010-0886 -– Java SMB
CVE-2006-0003 -– IE MDAC
CVE-2010-1885 – HCP

1. Infected website is injected with one of several scripts:

2. Browser loads http://willysy.com/images/banners/, redirected (302) to http://papucky.eu/ext/

3. Contents of papucky.eu/ext/ is here on pastebin, loads javascript from http://gooqlepics.com/include.js?in=864

4. javascript here on pastebin, decodes to this, generates iframe pointing to:

http://yandekapi.com/api?in=864

5. Contents of http://yandekapi.com/api?in=864 is here, redirects to: http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV

6. Contents of http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV is here, decodes to this. This includes multiple browser exploits.

7. After successful exploitation, browser downloads and executes malware from here:
http://46.16.240.18/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot

Thanks to the folks at Armorize for flagging this.

--Bill Brenner

CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!