Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

New Mass Injection Wave of WordPress Websites on the Prowl

View all posts > 

New Mass Injection Wave of WordPress Websites on the Prowl

Posted: 05 Mar 2012 08:00 | uwang | 13 comment(s)


The Websense® ThreatSeeker® Network has detected a new wave of mass-injections of a well-known rogue antivirus campaign that we've been following in Security LabsTM for months. The majority of targets are Web sites hosted by the WordPress content management system. At the time of writing, more than 200,000 Web pages have been compromised, amounting to close to 30,000 unique Web sites (hosts). The injection hijacks visitors to the compromised sites and rediects them to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer. 

 

The injected code is very short and is placed at the bottom of the page, just before </body> tag.

 

 

After a three-level redirection chain, victims land on a fake AV site. In this example, the first chain is the ".rr.nu", and the landing site is the ".de.lv" top-level domain, but the landing site keeps changing. The rogue AV site appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans. The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it.  The fake scanning process looks like a normal Windows application, however, it is only a pop-up window within the browser. The fake antivirus then prompts visitors to download and run their "antivirus tool" to remove the supposedly found Trojans. The executable is itself the Trojan.

 

 

It is, we think, an interesting observation that more than 85% of the compromised sites are in the United States, while visitors to these web sites are more geographically dispersed. We think it's useful to note that while the attack is specific to the US, everyone is at risk when visiting these compromised pages.

 

Countries hosting compromised Web sites:

(Click image to enlarge)

 

Country of origin of visitors:

(Click image to enlarge)

 

Websense Security Labs continues to monitor the evolution of this campaign. Websense customers are protected with the Advanced Classification Engine, ACE, which detects compromised Web sites in real-time. 

 



Comments

Jan Doggen said on Tuesday, March 06, 2012 12:34

Please provide informatio about that "well-known exploit".

Is it fixed if we are updated to the latest Wordpress version?

Don't just present the problem, the solution is more important.

Susannah said on Tuesday, March 06, 2012 9:09 PM

As someone using wordpress for my website, how can I protect it from attack? Several of my clients IT systems have blocked the site, presumably for this reason.....

Rich said on Wednesday, March 07, 2012 8:54

It's possibly worth nothing that this seems the very prevalent on Dreamhost - their One Click install bundles hundreds of themes and lots of plugins, so I was hit because a site I'd installed via this method years ago was still online inadvertently.

The code on the server is a base 64 encoded chunk that is prepended to any PHP files. Unobfuscated, it looks like this:

http://pastebin.com/6j96BiE8

It's worth nothing that if you server has either eval or base64decode disabled, then it won't work. Blocking the hardcoded .nn.ru domains would also be worth considering.

In addition to this obvious code, a file called lib.php which contains a backdoor is placed randomly in some directories. I suspect that a WP hack has uploaded the lib.php file, and that was used to do the nn.ru stuff.

To clear it up, look for files where the first line is very long (1000+ chars), or the file contains "/**/ eval(base64_decode(". Also, any files called lib.php, or start with utf8 need to be removed.

Shyaam Sundhar said on Wednesday, March 07, 2012 12:24 PM

Where can we find a list or a DB to check, if we are infected?

MickeyRoush said on Wednesday, March 07, 2012 10:12 PM

@ Rich. How do you disable the use of eval or base64decode? I was told that those are constructs, not actual declared functions.

Jens said on Thursday, March 08, 2012 4:15

Is there any stats on which hosts these wordpress installations are installed? One could guess that it was one of the major hosting sites like Anhosting or Godaddy..

Chris Fryer said on Thursday, March 08, 2012 4:52

@MickeyRoush

eval() cannot be disabled because it is a language construct.  But base64_decode() is a function, which can be disabled in php.ini

www.php.net/.../ini.core.php

Omnireso said on Thursday, March 08, 2012 6:01

Is this injection related to any particular free-templates / free WP themes scheme ?

CMS and blog engines like WP are a gift for hackers/crackers when bloggers download free add-ons without knowning anything about the risks they encouter...

Ryan said on Friday, March 09, 2012 7:35 PM

While this information is interesting, its not very useful. Important details such as which versions of Wordpress are being exploited are missing. If these are sites running outdated versions of Wordpress then its not that surprising. If these are 3.3.x sites being compromised, then its a much bigger deal.

It doesn't look like Worpdress has had any critical security issues in a pretty long time, and the community has been pretty responsive in fixing issues as they show up. So which is it? Are these old sites left out to rot, or is this a new and unpatched exploit?

secunia.com/.../33191

John said on Tuesday, March 13, 2012 3:34

I'm on day 4 of trying to cleanup my DreamHost acct.

This helped me find some bad guys:

$ find . -perm 000

See also:

danhilltech.tumblr.com/.../if-you-get-eval-base64-hacked-on-wordpress-dreamhost

domesticenthusiast.blogspot.com/.../dyslexic-mayans-want-to-sell-you-cialis.html

Elad Sharf said on Tuesday, March 13, 2012 5:34

@Ryan @Omnireso @Jens

We published a follow up post that looks into which CMS types are being exploited with some conclusions, please have a look at: community.websense.com/.../i-have-the-latest-wordpress-version-am-i-protected.aspx

Nikhil m said on Monday, July 30, 2012 7:34 PM

here is a well defined solution blog.lightrains.com/.../fix-wordpress-malware-script-attack

www.2012oksunglasses.com said on Tuesday, August 28, 2012 1:44 PM

Hi! Do you know if they make any plugins to assist with SEO? I'm trying to get my blog to rank for some targeted keywords but I'm not seeing very good gains. If you know of any please share. Kudos!


Leave a Comment

(required)  

Email address: (required)