05
Aug 11

Is That a Virus in Your Shopping Cart?

facebooktwittergoogle_plusredditpinterestlinkedinmail

Six million Web pages have been booby-trapped with malware, using security vulnerabilities in software that hundreds of thousands of e-commerce Web sites use to process credit and debit card transactions.

Web security firm Armorize said it has detected more than six million Web pages that were seeded with attack kits designed to exploit Web browser vulnerabilities and plant malicious software. The company said the hacked sites appear to be running outdated and insecure versions of osCommerce, an e-commerce shopping cart program that is popular with online stores.

Armorize said the compromised pages hammer a visitor’s browser with exploits that target at least five Web browser plug-in vulnerabilities, including two flaws in Java, a pair of Windows bugs, and a security weakness in Adobe‘s PDF Reader. Patches are available for all of the targeted browser vulnerabilities.

According to Armorize, the malware targets osCommerce websites and leverages several osCommerce vulnerabilities: osCommerce Remote Edit Site Info Vulnerability (disclosed July 10th, 2011); osCommerce 2.3.1 banner_manager.php Remote File Upload Vulnerability (disclosed May 14, 2011); and OsCommerce Online Merchant v2.2 File Disclosure And Admin ByPass, (disclosed May 30, 2010).

Earlier this year, I wrote a lengthy piece for Kaspersky’s Secureview magazine on this subject: The story warned that criminals were using osCommerce vulnerabilities to hijack tens of thousands of Web sites that were later used to relay junk email and to host phishing scams. If you operate a site that uses osCommerce, please take a moment to ensure that your shopping cart software is up-to-date. The Armorize blog post lists several ways to tell if your site has been hacked. A handy tutorial on securing osCcommerce applications is available here.

Tags: , , , , ,

17 comments

  1. The URL you link to for the original Armorize blog post is blocked by Trend Micro OfficeScan with the claim that it is hosting malware. The following URL worked for me:

    http://blog.armorize.com/2011/08/willysy-oscommerce-injection-over-6.html

    I have a feeling it was a false positive but this may make it easier for folks behind a zealous corporate firewall to see the blog.

    • Avast also detects malware at the original link and the alternate, for what it’s worth.

      • I got this at the alternate site:

        Dear Reader, this blog contains full versions of malicious code and may trigger false positives from your antivirus software. Please be assured that the code is rendered as text for your research purposes, and not executed, and therefore any antivirus alert is a false positive. Thank you for supporting our blog!

    • Heh … well let’s face it, (unfortunately) it wouldn’t be the first time the website of an IT security firm has been hacked and had malware placed on the server.

      Thanks for the heads up in any case.

      • I suspect that the blog is getting flagged as malicious because of the content of the post, not because there is a virus present.

        They show the exploit and inject code as plain text for the reader to be able to understand. An automated scanner may not distinguish that it’s been written to read instead of being active on the webpage.

  2. If they’re estimating based on Google search result counts, those are sometimes hugely inflated.

  3. When will eCommerce sites be willing to certify prominently to the customer that their site contains the most recent versions and all patches, etc.; alternatively, are there any ways the customer can tell if an eCommerce site is running outdated software?

    • McAfee provides a website certification notification as a part of their antivirus package. It attaches to your browser and shows a green button if they approve, a white button if they don’t know, and I assume a red button if they think the site is unsafe.

  4. Clive Robinson

    Doug,

    It is not realy in a sites interest to advertise they are running the latest version for a number of reasons.

    Primarily because they would be building a “hamster wheel of pain” for themselves.

    This is because for a number of good and proper reasons they will not be running the latest version as and when it comes out.

    Any reasonable site will need to check that the latest version does not break something or introduce other unexpected vulnerabilits or embaresments (remember the shopping cart is just a component of the site).

    One thing sites are becoming more aware of is E-Fraud and it is not unknown for code repositories to be modified by persons of ill intent.

    Thus it is sensible for a reasonable site to take time to actualy do tests prior to rolling out replacment code.

    This applies not only to the latest and greatest update but also to security patches.

  5. u can get hmei7 mass osc scanner , with that u can upload the exploit page at more then 100 sites at second

  6. Clive, no offense, but you sound like too many of the IT types I’ve encountered. “We can’t do that. Blah blah…” It gets really old.

    The only cure I can think of for that is for senior management to man up and say to the balky IT guys: “We are not going to allow our customers to be screwed because of your inaction and our corporate image besmirched. You will either get your testing done much faster and the systems which are supposed to protect our customers fully current ASAP and keep them current or we’re getting some new IT guys! This meeting is over!”

    • Can you be any more of a douche?

    • Will Senior Management then man up to the flaws if/when found? Or will they still leave the IT department to twist in the wind?

      Remember that this is an E-Commerce site. If it becomes compromised you lose everything valuable about the customer that there is. Credit Card details, name, shipping/residence, e-mail. Big big baddy to commit. To say nothing of the harm done to the company by the loss of reputation, loss of sales, loss of presence while you take everything offline to try to clean and fix (Which would happen in that “rush” you speak of to get things moving).

      IT acts cautiously because it’s always the unknown out there that bites you. And if you forget to look for the known, well… hey, it’s ready and willing to join in the fray.

    • Hahaha seriously man …

      @Doug: “Clive, no offense, but you sound like too many of the IT types I’ve encountered. “We can’t do that. Blah blah…” It gets really old.”

      Did it occur to you that they are “IT Types” and when they say “we can’t do that” it’s because they know it would be counter-productive move. You know, it being their area of expertise and all that.

      @Doug: “The only cure I can think of for that is for senior management to man up and say to the balky IT guys: “We are not going to allow our customers to be screwed because of your inaction and our corporate image besmirched. You will either get your testing done much faster and the systems which are supposed to protect our customers fully current ASAP and keep them current or we’re getting some new IT guys! This meeting is over!” ”

      Apart from completely missing the point that Clive was making – ie. updating without testing can lead to issues such as complete site shutdowns, more 0day exploits with higher potential for damage to customers and a ****load of corporate image damage, you have a completely misguided view of IT systems and how they are implemented.

      The truth is websites and computer code is so complex it would literally take tens of years or longer in some cases to test every, single possibility that could occur. If you know anything about algorithms even in the purely mathematical sense you’ll know that every time you add a decision the complexity of possible outcomes (including exploits) increases by orders of magnitude.

      Since doing this level of testing would mean nothing would get released at all it’s simply not reasonable to demand testing to a level where one can confidently say “there’s no exploits”.

  7. Given that (currently) the two domains only seem to resolve to no more than one IP address each, it is fairly simple to block them. And in fact willysy.com may have been killed at a DNS level because currently I can’t get it to resolve at all (though that could just be openDNS).

    While that isn’t a great deal of work, it is an effort and it assumes that the security folks running vulnerable ecommerce sites are on the ball. This is yet another reason why it makes sense to use ThreatSTOP because we can do that work for you and have been blocking the sites for almost a week now: http://blog.threatstop.com/2011/08/02/threatstop-blocking-oscommerce-vulnerability/

  8. Readers may be interested to know that the number of infected website may now be as high as 8.3 million in number.

    Source: http://www.theregister.co.uk/2011/08/13/oscommerce_infection_threatens_web/

    Whilst El Reg is a pretty non-sensationalist site generally it’s not unknown for them to make mistakes or reprint utter rubbish (like most news sources) so take that with the grain of salt that it may or may not deserve.