OsCommerce Malware Infection

Three months ago is started a huge site infection campaign with lens oscommerce, a famous cms for medium/little on-line stores. This cms suffers of few vulnerabilities that can lead an attacker to upload files and execute remote code.

Vulnerabilities:
-  osCommerce 2.2 Remote File Upload Vulnerability
-  osCommerce authentication bypass
-  osCommerce 2.2 Arbitrary PHP Code Execution
-  osCommerce 2.3.1 Remote File Upload Vulnerability

Today (4/10/2011) the total number of infected sites is 830,000 but two months ago was 8 million.


In some compromised sites the attacker has left the webshell.




After uploading a backdoor the attacker edit the home page and add a script/iframe tag that load multiple browser exploits.

Exploits used:
- IE 6 Remote Code Execution
- Java Runtime Environment Remote Code Execution Vulnerability
- Microsoft Windows Help
- Adobe Reader and Acrobat 8.x

After successful exploitation a malware is downloaded and executed.

VIDEO EXAMPLE

Scenario:
- 192.168.2.13 ----> Attacker with BackBox 2.0
- 192.168.2.7/os/ -----> Victim with osCommerce 2.2
- http://coolsite.dot ----> Malware host

- jquery.js (IE 6 Remote Code Execution CVE-2006-0003)
- windows.exe (windows calculator with reverse meterpreter tcp payload)

Steps:
What i want to show you is how probably an attacker has infected a site running an old copy of osCommerce to spread malware. These are the steps to follow:

1- Find a place where we can host our malicious code so we need to find a server with weak ssh/ftp password (coolsite.dot).

2- Create our malware injecting a meterpreter reverse payload into calc.exe and encoding it 3 times using shikata_ga_nai.

3- Waiting the connection back.

4- Upload malware and exploit to coolsite.dot.

5- Waiting for a victim.

6- Do what you want.

After obtaining the meterpreter shell we start the keylogger to steal gmail login credentials.


Reference and more detailed information:
-  Willysycom mass injection ongoing
- Metasploit Unleashed

Comments

  1. UnknownDecember 5, 2012 at 6:01 PM

    This comment has been removed by a blog administrator.

    ReplyDelete

Post a Comment

Popular posts from this blog

Java Exploit Code Obfuscation and Antivirus Bypass/Evasion (CVE-2012-4681)

Image
Why not play a game where we try to make the latest (at time of writing) public java exploit ( CVE-2012-4681 ) undetected by all antivirus and see who will be the last to detect it ?. I think it will be a funny "challenge" because evading antivirus has always his charm. I will not use software obfuscators like proGuard, Allatori, Zelix KlassMaster etc... This because will not be funny. This is not intended to be an analysis or explanation because there are already great post here: http://immunityproducts.blogspot.com.ar/2012/08/java-0day-analysis-cve-2012-4681.html http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html http://www.h-online.com/security/features/The-new-Java-0day-examined-1677789.html Before we start we need to make two considerations: From The Current Web-Delivered Java 0Day :  So while you may see a few links to Virustotal with the inevitable complaining that a scanner is missing a specific chunk of altered code along with innacc
Read more

The Latest Java Exploit with Security Prompt/Warning Bypass (CVE-2013-2423)

Image
From Java SE 7 update 11 oracle has introduced a new security features called  security warning that prompts a window every time an applet request for execution. For example, if we want to execute latest Java SE 7 update 17 exploit we get this warning. Yesterday Immunity has published a blog post explaining a new vulnerability they have found into the java validating mechanism which allow to execute an untrusted applet without showing the warning. For in-dept details read their blog post here . Briefly, to bypass the above prompt you must call the applet with the parameter __applet_ssv_validated set to true. The only way to manipulate this parameter is to use a java Network Launch Protocol file. Regarding to oracle there are two ways to use JNLP in a page: With the applet tag  With javascript only Let's try first the example with the tag applet. The code we're going to run is the latest publicly available java exploit CVE-2013-2423 .  import java.applet.
Read more

Deobfuscating Java 7u11 Exploit from Cool Exploit Kit (CVE-2013-0431)

Image
At the beginning of the past week @EKWatcher  has spotted Cool Exploit Kit using Java 7 update 11 vulnerability (CVE-2013-0431). This vulnerability was already reported by Security Explorations on seclist few days after Oracle issued update 11. I decided take a look at it. I found a website infected by Cool EK that after a successfull exploitation dropped Reveton into " C:\Documents and Settings\<usarname>\Application Data " folder on Windows XP. The applet used by Cool EK was named would-blood.jar and once opened with JD-GUI the result was this. As you can see it's obfuscated, not heavily but obfuscated. The first thing to do when you want to start deobfuscating an applet is to find the init() function which is the "starting point" and cannot be changed. Remember that for serialized applets the starting point is a function called start() instead of init(). The init function is inside  hw class. It's immediately evident that al
Read more