We recently reported on a massive drive-by-download campaign affecting some 90,000 Web pages. In the less than two weeks since that report, the same campaign is now affecting more than six million pages.
The obvious question is: why has there been such an aggressive increase in the number of infected pages? The best answer to that question has more to do with timing and Google’s indexing process than it has to do with the nature of the attack itself according to Armorize’s President and CTO, Wayne Huang.
“I think we reported this incident very early on in its baby stage,” Huang told Threatpost via email earlier this week. “Then as more sites are infected and Google started to revisit the pages and indexed the infections, Google’s count started to increase.”
As reported previously, the attack is targeting mostly osCommerce sites. According to the report from Armorize, the attack is leveraging a number of known osCommerce bugs, including a Remote Edit Site Info Vulnerability, disclosed on July 10th of this year, a Remote File Upload Vulnerability, disclosed on May 14 of this year, and an Online Merchant v2.2 File Disclosure and Admin ByPass that was disclosed on May 30 of last year.
Once infected, most affected sites will modify the “store name” values to inject one of two iframes coming from either “exero.eu/catalog/jquery.js” or “http://willysy.com/images/banners/.” However, in some cases the attackers are leaving backdoors or “webshells.” According to the report, this is happening, for the most part, on sites with shared hosting accounts where backdoors would allow the attacker access to multiple accounts on the same server.
The IP addresses of those launching the attacks appear to have originated in the Ukraine and belong to an ISP whose website is www.didan.com.ua.
Researchers at Armorize are still analyzing the attack and working out concrete details on where the attack is coming from and who is behind it. For more depth and continued anlysis on this story, you can find the entire Armorize report here.