Daily cyber threats and internet security news: network security, online safety and latest security alerts
August 26th, 2011

osCommerce Compromised Sites Distribute ZeuS Spin-off Trojan, Millions Of Pages Infected

Security researchers warn that variants of a ZeuS spin-off trojan called Ice-IX are being distributed from osCommerce websites compromised during a recent mass injection attack. The attack targeting osCommerce installations vulnerable to a flaw that dates from November 2010 began at the end of July.

The code injection campaign escalated quickly and the number of infected pages jumped from 90,000 to over 3.8 within a week and 8 million two weeks later. The attack even prompted the German Federal Office for Information Security (BSI) to issue an alert because many of the infected websites are German online shops.

The code injected into the pages leads to externally-hosted drive-by download exploits that target vulnerabilities in unpatched versions of Java, Adobe Reader, Internet Explorer and Windows XP. If exploitation is successful, a trojan is installed on the victim’s computers. According to the Malware Domain List, a non-commercial community project that tracks malicious URLs, that trojan is now Ice-IX.

“Ice-IX (modified Zeus) is currently being distributed by Oscommerce mass compromise campaign,” the project warned via Twitter. Ice IX is a new banking trojan based on the ZeuS source code leaked earlier this year.

The Ice-IX builder is sold on the underground market for as much as $1,800. Like ZeuS, it injects itself into browser processes to steal information, but one particularly of samples seen so far is that they also steal Amazon AWS credentials.

Online shop owners who use osCommerce should upgrade to versions 2.3.1 or 3.0.2 of the platform as soon as possible. They are also advised to strengthen the security of their installations by implementing several recommendations described in a post on the osCommerce support forum.

Users should keep the software installed on their computers up to date and should run an antivirus solution capable of scanning web traffic.

Credit: News

Share this item with others:

More on CyberInsecure:
  • Botnet Kit And Service Offered To Non-Techies
  • Vulnerable osCommerce Websites Exploited To Distribute Scareware Through Blackhat Search Engine Optimization
  • Compromised Through Exploit Toolkit, Visitors Might Get Private Data Stolen
  • Critical Security Holes In OpenCart, Multiple osCommerce Websites Infected With Malicious Code
  • New Banking Trojan Discovered in the Wild

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: osCommerce Compromised Sites Distribute ZeuS Spin-off Trojan, Millions Of Pages Infected

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.