Slashdot Mirror

← Back to Stories (view on slashdot.org)

30K WordPress Blogs Infected With the Latest Malware Scam

Posted by Unknown on from the check-your-versions dept.

alphadogg writes with an excerpt from an article over at Network World: "Almost 30,000 WordPress blogs have been infected in a new wave of attacks orchestrated by a cybercriminal gang whose primary goal is to distribute rogue antivirus software, researchers from security firm Websense say. The attacks have resulted in over 200,000 infected pages that redirect users to websites displaying fake antivirus scans. The latest compromises are part of a rogue antivirus distribution campaign that has been going on for months, the Websense researchers said."

17 of 104 comments (clear)

  1. McAfee? by Oswald+McWeany · · Score: 5, Funny

    websites displaying fake antivirus scans

    I didn't know McAfee had started targeting Web blogs now.

    --
    "That's the way to do it" - Punch
    1. Re:McAfee? by tepples · · Score: 3, Informative

      It might be hard to believe, but there are antivirus companies even less scrupulous than McAfee and Norton. Wikipedia explains.

  2. Analysis by SirDice · · Score: 4, Insightful

    Why do they always focus on the crap that's left behind when they analyses these things? I want to know how they managed to get that stuff on those servers so I can check my own. Was is an old and vulnerable WordPress or was it some 0-day they used? For some reason they always focus on the effects and not on the causes.

    1. Re:Analysis by WankersRevenge · · Score: 5, Informative

      From the fine article:

      Many of the blogs compromised in these recent attacks were running outdated WordPress versions, had vulnerable plug-ins installed or had weak administrative passwords susceptible to brute force attacks, said David Dede, a security researcher with website integrity monitoring firm Sucuri Security. "It seems the attackers are trying everything lately."

    2. Re:Analysis by drobety · · Score: 4, Informative

      For what it's worth, looking at the recent 404 errors on my site, I've notice many (failed fortunately) requests related to Ajax File And Image Manager 1.0 Final Code Execution

  3. Re:wordpress, again? by Spad · · Score: 2

    At a guess, the ratio of Installs to Unpatched/Insecure Installs, both of the core WP software and its many, many 3rd party plugins and themes.

    A *lot* of sites are either running old versions of software or have plugins/themes with gaping vulnerabilities that are no longer under active development.

  4. Method of infection by dgharmon · · Score: 3, Insightful

    "The Websense ThreatSeeker Network has detected a new wave of mass-injections of a well-known rogue antivirus campaign"

    How exactly are these sites infected in the first place?

    "The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it"

    Ahh so - nothing to read here ... moving on ...

    --
    AccountKiller
    1. Re:Method of infection by Pope · · Score: 2

      I used to get those all the time on my Mac and just laugh. Then they made a special OS X-looking one.

      --
      It doesn't mean much now, it's built for the future.
  5. Specialist ISP of Transnistria.. again. by Dynamoo · · Score: 5, Interesting
    It looks like the first step in the infection is via an IP (194.28.114.103) belonging to Specialist ISP of Transnistria. That has featured before on Slashdot in this story.

    The block 194.28.112.0/22 is simply all evil (I've documented it here in the past), there's no reason to send traffic to it at all, blocking it is a good option.

    --
    Never email donotemail@WeAreSpammers.com
    1. Re:Specialist ISP of Transnistria.. again. by Dynamoo · · Score: 2

      Exactly. It's a country that doesn't exist in the eyes of most other countries, which makes it beyond the reach of international law enforcement. There are other countries in the world like that, the difference with Transnistria is that it has a somewhat modern infrastructure.

      --
      Never email donotemail@WeAreSpammers.com
  6. Why bother with an infector? by Opportunist · · Score: 2

    Why bother using 0day exploits and payload droppers when the best infector is sitting right in front of the PC?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Why bother with an infector? by DigiShaman · · Score: 3, Interesting

      Agreed. The best form of hacking isn't technical, it's social. This is what happens when con artists turn to technology as another venue by which to exploit people.

      --
      Life is not for the lazy.
  7. Re:wordpress, again? by gmack · · Score: 4, Interesting

    Some of that is Wordpress' fault for not having an easy way to run mass upgrades. My employer has 15 different sites running on Wordpress and the fact that I have to log in to each one manually after upgrading the files and click a link to handle the database update is annoying.

  8. Re:wordpress, again? by nick.sideras · · Score: 4, Informative

    Some of that is Wordpress' fault for not having an easy way to run mass upgrades. My employer has 15 different sites running on Wordpress and the fact that I have to log in to each one manually after upgrading the files and click a link to handle the database update is annoying.

    This drove me nuts at my current job for about 2 months - you need Wordpress Network.

    There's the easy way and the hard(er) way to do this:

    This is the official easy way, but it's never worked for me (last tried in Spring of 2011). The nice thing is that it's all stuff built into WordPress, so you should be able to do it without any problems. I'd say it's probably worth giving this a try with one site, and if it works, run with it.

    This is more down and dirty way that will definitely work, and is more or less how I did it. A little SQL editing never hurt anyone.
    Also, this is a great companion to the bavatuesdays link. He goes on about his DNS in the first few paragraphs, but the second half of that post has some good details about where files need to be, and how links and such need to be updated.

    Once you have a network, you a fantastic "Update Network" button. Boom. Take the rest of the day off.

  9. Re:Its 2012 and yet still... by X0563511 · · Score: 3, Informative

    Are you an idiot? The article is talking about WORDPRESS - a web application! Windows isn't involved!

    --
    For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
  10. For Newbs: Steps to Fix by dgrotto · · Score: 5, Informative

    Most of my WP installs were infected because I am a slack ass. Here are the high level steps I took to solve the problem:

    • 1) Backup sites.
    • 2) Fix all world-writable directories in your WP install (what the hell WP?!). This seems to be the primary vector for getting in.
    • 3) Clean up infected PHP files with this script from php-beginners.com. Thank you Paolo.
    • 4) Inspect all .htaccess configs for errant redirects and fix.
    • 5) Install and run the timthumb vulnerability scanner. Possible secondary vector. Thank you Peter Butler!
    • 6) Update your WP install to latest and greatest.
    • 7) Remove any unused plugins and themes.
    • 8) Backup sites.

    I may be missing something - again, I'm a slackass. Anyone else have other advice for our admin-challenged friends besides "get a real software package"?

    By the way, I was trying to lock down one of my WP installs to only allow authed users access to posts. However, WP does not put the assets for post - usually in wp-content/uploads - behind the auth wall. It's just out there for the whole world to see. It was a simple fix to rewrite the .htaccess config for this directory to redirect to an auth script, but still it still shocks me how insecure this app is.

  11. Related drive-by malware by ThatsNotPudding · · Score: 3, Informative

    BTW: why is Adobe allowed to - by default - check the box on their flash updates to also install Norton on the victims computer? How many trusting civilians (think: grandmothers) end up with borked computers with conflicting AV programs solely due to corporate greed? I'm willing to bet this check box (if it even appears) is NOT checked by default in the EU market. Man, I miss government FOR the people...