14 DAY TRIAL // Security researchers warn that variants of a ZeuS spin-off trojan called Ice-IX are being distributed from osCommerce websites compromised during a recent mass injection attack.
The attack targeting osCommerce installations vulnerable to a flaw that dates from November 2010 began at the end of July.
The code injection campaign escalated quickly and the number of infected pages jumped from 90,000 to over 3.8 within a week and 8 million two weeks later.
The attack even prompted the German Federal Office for Information Security (BSI) to issue an alert because many of the infected websites are German online shops.
The code injected into the pages leads to externally-hosted drive-by download exploits that target vulnerabilities in unpatched versions of Java, Adobe Reader, Internet Explorer and Windows XP.
If exploitation is successful, a trojan is installed on the victim's computers. According to the Malware Domain List, a non-commercial community project that tracks malicious URLs, that trojan is now Ice-IX.
"Ice-IX (modified Zeus) is currently being distributed by Oscommerce mass compromise campaign," the project warned via Twitter. Ice IX is a new banking trojan based on the ZeuS source code leaked earlier this year.
The Ice-IX builder is sold on the underground market for as much as $1,800. Like ZeuS, it injects itself into browser processes to steal information, but one particularly of samples seen so far is that they also steal Amazon AWS credentials.
Online shop owners who use osCommerce should upgrade to versions 2.3.1 or 3.0.2 of the platform as soon as possible. They are also advised to strengthen the security of their installations by implementing several recommendations described in a post on the osCommerce support forum.
Users should keep the software installed on their computers up to date and should run an antivirus solution capable of scanning web traffic.