Armorize researchers have been keeping an eye on the unfolding situation and point out that the attackers are taking advantage of a number of vulnerabilities in the Open Source online shop e-commerce solution osCommerce.
The initial malicious destination URL in the willysy infection chain has been changed because it has since been blocked. It is now the same as that for the exero one: musicyo.ru/d.php?[REMOVED] and, as I'm writing this, it is still active.
Armorize's CTO Wayne Huang tells me that the malicious executable is a backdoor of the SpyEye/Zeus family, which creates a directory on the victim's hard disc and copies itself in it. It then generates an encrypted file into the same folder and connects back to a predefined domain, and periodically to three other domains.
It currently has a rather low (11,6%) detection rate on VirusTotal.
In order to check if their website(s) have been affected by the attack, Armorize advises owners/administrators to check their logs for access from the following IPs: 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168 (located in Ukraine), and to check the web pages' source code for the offending iFrames.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.