A ZeuS spin-off Trojan called Ice-IX seems to be coming from osCommerce websites compromised during a mass injection attack.
The attack targeting osCommerce installations vulnerable to a flaw that dates from November 2010 began at the end of July.
The code injection attack ratcheted up rapidly as the number of infected pages jumped from 90,000 to over 3.8 within a week and 8 million two weeks later.
The code injected into the pages leads to externally-hosted drive-by downloads that target vulnerabilities in unpatched versions of Java, Adobe Reader, Internet Explorer and Windows XP.
If the code makes it in, it can then plant a Trojan on the victim’s computer. According to the Malware Domain List, a non-commercial community project that tracks malicious URLs, that Trojan is Ice-IX.
“Ice-IX (modified Zeus) is currently being distributed by Oscommerce mass compromise campaign,” the project warned. Ice IX is a new banking Trojan based on the ZeuS source code leaked earlier this year.
The Ice-IX builder sells on the underground market for as much as $1,800. Like ZeuS, it injects itself into browser processes to steal information.
Online shop owners who use osCommerce should upgrade to versions 2.3.1 or 3.0.2 of the platform as soon as possible. They should also strengthen the security of their installations by implementing several recommendations described on the osCommerce support forum.
Users should keep the software installed on their computers up to date and should run an antivirus solution capable of scanning web traffic.