Wednesday, September 14, 2011

Revisting recent oscommerce mass compromise

Open source commerce(oscommerce) “is an e-commerce and online store-management software program. It can be used on any web server that has PHP and MySQL installed. It is available as free software under the GNU General Public License.”[1,2]

In the first half of 2011 an attack targeted e-commerce sites running oscommerce using the Blackhole Exploit Kit. The attacks scans millions of web servers for oscommerce vulnerabilities. Many servers run old or badly configured servers which are vulnerable so the mass attack was very successful. In particular the attacks are searching for the vulnerabilities below[3]. Some aspects of the attack have changed over the months. As defenders have blacklisted or de-registered domain names, the attackers have responded by changing domains, exploits and payloads.

The above vulnerabilities target a problem with securing remote admin access to an oscommerce site. According to the oscommerce site,

"The Administration Tool is used to configure the online store, insert products for sale, administrate customers, and process orders. The Administration Tool is protected by a login mechanism which only allows verified administrators to login and to administrate the online store. "[4]

while a security patch was issued to address the critical issues with remote admin, again from the oscommerce site we have,
“The Administration Tool log-in feature introduced in v2.2RC2 can be bypassed on Apache web servers with AcceptPathInfo enabled by manipulating the URL. “[5]

Once compromised the attacking group will insert a hidden malicious link which points to the first in a chain of re-directors which ultimately lead to a site which attempts to exploit the user and install malicious programs, for example the Zeus banking trojan. As mentioned earlier the attacking group has responded to defenders by changing domains, exploits and payloads so over the months the details of the attack as changed.

Let's look at an example of a compromised oscommerce e-commerce site from August 2011.

The site hxxp:// looks to be a forgotten/half completed e-commerce site for a small coach tour company in the UK.

The site would have been compromised at some point in the past and a look at the HTML code for the page shows the malicious link left by the attackers. The attackers use the oscommerce vulnerability to edit the "Store Name" variable which is used to construct the page header/title and below the malicious link is seen in the code for the page header.[6]

The orangeblue site is the first in a re-direction chain that, in a process completely invisible to the average user, leads to an attack on their computer.

Stage one

The following obfuscated javascript is pulled from the orangeblue site. Code obfuscation has been used to evade detection by antivirus engines. In the code below h gets the value -2, this is used to modify the values in the array n which then become the correct ASCII decimal code values e.g the first three 9=TAB,9=TAB,105=i. This array is used to create the string ss which is then passed to an eval for execution.
This decodes to the following which implants a hidden malicious iframe.
Stage two

Gzipped compressed data is now pulled from the zapto domain given above, when decompressed this reveals the following javascript(shown in the below 4 images).

Lines 1-23 are obfuscated while lines 25-76 attempt to contact the Blackhole command & control server, and finally lines 77-88 reach out to a counter. Note the Russian comments within the code(I have added the English translations). Similar to stage one, in line 18 o gets the value 2 which is used to create the ASCII array m. This is then used in the lines 22-23 to construct the string s which is then executed. The obfuscated script decodes to the following.

Stage 3

The above script now reaches out to the rinzestark site. This last link is the one that actually pulls down code which attempts to exploit the unsuspecting user. The code is obfuscated and appears as follows. The obfuscation is more complex than the earlier stages. The crucial line is 21 which when variable values are substituted becomes z[substr](a[i],1), this uses the array a as an index to grab length 1 substrings from z which are concatenated to form string s, this is then executed in line 27.
This decodes to over 900 lines of javascript which is the Blackhole Kit attempting to exploit the end user. The code attempts to determine a number of things about the users software configuration and then launches an exploit tailored to the configuration found. A snippit of this code is shown below.

If the exploit is successful then further stages follow as the attackers now have control of the user machine and can install and do anything they wish, often this group has installed a banking trojan designed to steal information users enter when visiting e-commerce and e-banking sites.

Defense and counter attack

Soon after this attack was first noticed steps were taken by the information security community to blacklist and de-register the domains involved, for example the domain. Of course the attackers are watching closely and quickly respond by changing domains. Over the months this wack-a-mole process continued with the following domains being used by the attackers for the first stage(later stage domains also changed over time). These sites may be specifically created by the attackers or in the case of lamacom, adorabletots, orangeblue and ayba be legitimate sites that the attackers have compromised and turned into part of their exploitation network.


Let's look at defense efforts in more detail. The main tools available to defenders are blacklisting, de-registering and of course contacting the owners of compromised e-commerce sites with advice on how to clean and secure their sites. Blacklisting involves listing the domains in a blacklisting service like hphosts or MDL while de-registering involves reaching out to the domain registrar or hosting company to ask for the domain to be deleted.

Domain name analysis

The third phase address hxxp://, is on the notorious domain. A Korean based company owns the domain and offers a subdomain registration service with DNS. According to the companies website two domains can be obtained for free while bulk sets of domains can be obtained very cheaply, 100 domains for $10 up to 15000 domains for $1000[7]. In July 2011 all subdomains of were removed by Google from it's search results because of the prevalence of phishing and malware sites[8]. According to a recent report by the Anti-Phishing Working Group(APWG) was the most abused subdomain service in the world[9,10].

The second phase address is also a subdomain address. is owned by US company No-IP/Vitalwerks Internet Solutions[11].

The majority of first phase addresses have been legitimate websites which have been compromised by the attackers and used to host the javascipt file.