Mass iFrame injection attack now counts millions of compromised web pages
Posted on 01 August 2011.
The recently discovered iFrame injection campaign rages on, as the number of compromised web pages goes from 90,000+ to over three million.


Armorize researchers have been keeping an eye on the unfolding situation and point out that the attackers are taking advantage of a number of vulnerabilities in the Open Source online shop e-commerce solution osCommerce.

The injected iFrames point to the willysy.com and exero.eu domains and through a series of redirections and JavaScript loadings of additional iFrames takes the user to a page one the arhyv.ru domain where a number of exploits try to take advantage of a handful of vulnerabilities in the user's browser.

The initial malicious destination URL in the willysy infection chain has been changed because it has since been blocked. It is now the same as that for the exero one: musicyo.ru/d.php?[REMOVED] and, as I'm writing this, it is still active.

Armorize's CTO Wayne Huang tells me that the malicious executable is a backdoor of the SpyEye/Zeus family, which creates a directory on the victim's hard disc and copies itself in it. It then generates an encrypted file into the same folder and connects back to a predefined domain, and periodically to three other domains.

It currently has a rather low (11,6%) detection rate on VirusTotal.

In order to check if their website(s) have been affected by the attack, Armorize advises owners/administrators to check their logs for access from the following IPs: 178.217.163.33, 178.217.165.111, 178.217.165.71, 178.217.163.214 (located in Ukraine), and to check the web pages' source code for the offending iFrames.

If the result of this search is positive, they should install an AV solution on the computer through which they manage the website(s), remove all the injected backdoors/iFrames/JavaScript, upgrade the osCommerce installation and, in the end, change their website hosting and osCommerce admin passwords.







Spotlight

eBook: Cybersecurity for Dummies

Posted on 16 December 2014.  |  APTs have changed the world of enterprise security and how networks and organizations are attacked. These threats, and the cybercriminals behind them, are experts at remaining hidden from traditional security while exhibiting an intelligence, resiliency, and patience that has never been seen before.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Thu, Dec 18th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //