Malware Feeds Off Slow Patching

Wednesday, August 10, 2011 @ 12:08 PM gHale

A malware injection that feeds off of slow patching targets e-commerce Web pages and has grown from 90,000 infected pages to more than 6 million in two weeks.

The malware, called willysy, exploits a vulnerability in an older version of online merchant platform, osCommerce, said Web application security provider Armorize, of San Francisco. The catch is the company patched the vulnerability, but the attackers prey on the organizations that did not download the patch.

RELATED STORIES
Hershey Hacked; Recipe Altered
Moore’s Law-like: Malware’s Booming
Report: Malware, Targeted Attacks on Rise
Feds Fear New Stuxnet Threats

When the company initially reported the injection on July 24, it found 90,000 infected pages. When it took another look at the malware on August 3, it found the injection had spread to 6.3 million pages.

Although the identity of the perpetrators of the attacks by the malware was not immediately available, Armorize did trace it back to eight IP addresses in The Ukraine.

The attacks exploit three known vulnerabilities in version 2.2 of osCommerce, Armorize officials said. The exploits allow the attackers to place an invisible frame (iFrame) on the page and then inject malicious code (JavaScript) into the page, where it will infect visitors to the online store.

Once the infection makes it to the shopper’s computer, it targets vulnerabilities in Java, Adobe Reader, Windows Help Center and Internet Explorer. Although the vendors of the various products patched the flaws, the attackers rely on the fact the user has not patched all the programs.

Even the exploitation of osCommerce itself depends on lax patch management by the shopping site, since the holes in the program used by the attackers were patched in version 2.3 of the software released in November last year. Since that time, two versions of the offering have been released, 2.3.1 and 3.0.1.

More than 249,000 store owners, developers, service providers and enthusiasts use the open source software, osCommerce officials said.

Attacks like the one discovered by Armorize can be especially harmful to small and medium-size businesses (SMB), said Frank Kenney, vice president of Global Strategy at Ipswitch, a file transfer security company.

Those companies typically don’t have the financial resources of larger firms so they’re attracted to open source programs like osCommerce and use off-the-shelf software in their operations. “Whenever you use off-the-shelf software, you have to understand there are data issues and all types of security vulnerabilities that exist,” he said.

While the makers of off-the-shelf software patch their programs often, businesses still have to invest in the resources to insure they do the proper patch work.



Leave a Reply

You must be logged in to post a comment.