30K WordPress Blogs Infected With the Latest Malware Scam

alphadogg writes with an excerpt from an article over at Network World: "Almost 30,000 WordPress blogs have been infected in a new wave of attacks orchestrated by a cybercriminal gang whose primary goal is to distribute rogue antivirus software, researchers from security firm Websense say. The attacks have resulted in over 200,000 infected pages that redirect users to websites displaying fake antivirus scans. The latest compromises are part of a rogue antivirus distribution campaign that has been going on for months, the Websense researchers said."

Analysis

[SirDice]

Why do they always focus on the crap that's left behind when they analyses these things? I want to know how they managed to get that stuff on those servers so I can check my own. Was is an old and vulnerable WordPress or was it some 0-day they used? For some reason they always focus on the effects and not on the causes.

Method of infection

[dgharmon]

"The Websense ThreatSeeker Network has detected a new wave of mass-injections [websense.com] of a well-known rogue antivirus campaign"

How exactly are these sites infected in the first place?

"The page looks like a Windows Explorer [websense.com] window with a "Windows Security Alert" dialogue box in it"

Ahh so - nothing to read here ... moving on ...