willysy.com Mass Injection ongoing,More than 90,000 Pages compromised

[Jack]

Researchers from Armorize have discovered a massive iframe injection campaign that has infected more than 90,000 Web pages.

Here's a youtube video of the entire infection process:
Uploaded by ArmorizeTech on Jul 25, 2011

 

[Deleted member 178]

Interesting the numbers of websites infected and how many processes are launched.

 

[MrXidus]

I downloaded the .exe it directs to. Uploaded to VirusTotal.

Antivirus results
Comodo - 9524 - 2011.07.27 - Heur.Packed.Unknown
Panda - 10.0.3.5 - 2011.07.26 - Suspicious file
File info:
MD5: fe31bbcacb872126f906a68c585c19ff
SHA1: aa0227f28dcbb8dde7185d87a0c3517ea86888e7
SHA256: 55ea9b2d2f171d5441d09bca3cf3517b59d8ccfebb95e8cbb717620dbf9d86d6
File size: 47104 bytes
Scan date: 2011-07-27 09:51:19 (UTC)

http://bit.ly/rmjAu3

 

[jamescv7]

Interesting that exploit will open many process until download a malware without a user consent.

Since so many infected webpages surely exploit will do it same.

 

[Deleted member 178]

i looking for the Process monotor tool he uses but cannot find the right one, someone knows where?

 

[Jack]

I downloaded the .exe it directs to. Uploaded to VirusTotal.

Antivirus results
Comodo - 9524 - 2011.07.27 - Heur.Packed.Unknown
Panda - 10.0.3.5 - 2011.07.26 - Suspicious file
File info:
MD5: fe31bbcacb872126f906a68c585c19ff
SHA1: aa0227f28dcbb8dde7185d87a0c3517ea86888e7
SHA256: 55ea9b2d2f171d5441d09bca3cf3517b59d8ccfebb95e8cbb717620dbf9d86d6
File size: 47104 bytes
Scan date: 2011-07-27 09:51:19 (UTC)

http://bit.ly/rmjAu3

COMODO heuristic engine is one of the best on the market , very responsive even on "Low" settings.

This iFrame attack is very aggressive since it's using a good amount of exploits :

Browser exploits used:
CVE-2010-0840 -- Java Trust
CVE-2010-0188 –- PDF LibTiff
CVE-2010-0886 -– Java SMB
CVE-2006-0003 -– IE MDAC
CVE-2010-1885 – HCP
BTW Firefox,Chrome and Safari users can rest safe for now - the page has been reported as an attack site and is currently blocked.

 

[Littlebits]

i looking for the Process monotor tool he uses but cannot find the right one, someone knows where?

Yes you can get it here- http://www.blueorbsoft.com/ProcessMonitor/index.html

Thanks.

 

[jamescv7]

Note only that Operating System platform will be compatible up to XP.

On the blog of armorize which direct about that exploit, a comment that was ask also what tool is it.

 

[Deleted member 178]

thanks for the link

 

[Hungry Man]

Thank you.

 

[Hungry Man]

In less than two weeks, a malware injection that targets e-commerce Web pages has ballooned from 90,000 infected pages to more than 6 million.

The malware, called willysy, exploits a vulnerability in a popular online merchant platform, osCommerce, according to Web application security provider Armorize, of San Francisco.

When the company initially reported the injection on July 24, it found 90,000 infected pages. When it took another look at the malware on August 3, it found the injection had spread to some 6.3 million pages.

Although the identity of the perpetrators of the attacks by the malware could not be identified by Armorize, the company did trace the forays to eight IP addresses, all located in the Ukraine.

Armorize explainedthat the attacks exploit three known vulnerabilities in version 2.2 of osCommerce. The exploits allow the attackers to place an invisible frame (iFrame) on the page and then inject malicious code (JavaScript) into the page, where it will infect visitors to the online store.

Once the infection makes it to shopper's computer, it targets vulnerabilities in Java, Adobe Reader, Windows Help Center and Internet Explorer. Although the flaws in those programs targeted by the infection are known and have been patched, the attackers are betting that the user hasn't patched all the programs.

Read More Here

 

[Jack]

6 million infected pages...... that's definitely a serious attack....osCommerce is a popular platform so that's one of the reasons why this attack was so succesful...

This attack targets osCommerce websites and leverages several osCommerce vulnerabilities, including osCommerce Remote Edit Site Info Vulnerability, disclosed July 10th, 2011, osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability, disclosed May 14, 2011, and Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass, disclosed May 30, 2010.

The developers of osCommerce didn't release any updates for their software yet...even though this attack was reveled almost 2 weeks ago and one of the exploit is based on vulnerability which can be found even in v2.2........ :shok: