Sophos Cloud Optix
SophosLabs has intercepted a major malware campaign, spread via spam email and compromised self-hosted WordPress blogs, which attempts to infect computers using the notorious Blackhole exploit kit.
Be on your guard if you have received an email entitled “Verify your order”, as links contained within the email could take you to a poisoned webpage, designed to install malware onto your PC.
Here’s what a typical email looks like:
Subject: Verify your order
Message body:
Dear [name],please verify your order #[random number] at [LINK]
We hope to see you again soon!
The websites that are being linked to aren’t ones that have been created by the malicious hackers.
They are legitimate websites that are running a self-hosted installation of the popular WordPress blogging platform. (Note, this does not include the many millions of bloggers who use the WordPress.com service – the vulnerable sites are those where people have installed their own WordPress software).
Unfortunately, some people haven’t properly secured their sites – which has allowed malicious hackers to plant malicious code from the Blackhole exploit kit, and means that malware is now downloading onto innocent users’ computers.
Sophos products detect the malware as Troj/PDFEx-GD, Troj/SWFExp-AI, Mal/ExpJS-N and Troj/Agent-XDM.
More and more of the attacks that we are intercepting involve the Blackhole exploit kit – recent examples include emails posing as traffic tickets from NYC, rejected wire transfer notifications and fake Facebook photo tag notifications.
Remember to not just keep your anti-virus software up-to-date, but also to ensure that any software you run on your web server is also properly secured, and kept patched and current (that includes blogging software like WordPress and any plugins that it might use).
Hi,
Is there any indication as to which specific vulnerabilities are being exploited within WordPress or any of its third party code?
Thanks,
Ryan
Not that we have determined so far I'm afraid. But nonetheless, we know that many bloggers are running out-of-date versions of WordPress – always a good idea to keep it updated, and ensure that you have permissions set up correctly and are only running appropriate (and up-to-date) plugins.
Some good advice here: http://codex.wordpress.org/Hardening_WordPress
Also, WordPress users can scan their sites here: http://sitecheck.sucuri.net (quick free scan) to see if they are outdated or hosting any visible malware.
Nice tool by the way….
Always keep WordPress and your plugins updated to the newest version. Even if your plugins are deactivated, they are still accessible and can pose a threat if they're not kept up to date.
Also make sure that if you have any file-upload plugins on your site that they're secure by restricting the file extensions that can be uploaded.
Do you have a post on what you feel the proper process is for securing WordPress?
Kim
@ Just Ask Kim
“WordPress Plugin” search results …
– https://secunia.com/advisories/search/?search=WordPress+Plugin
Found: 408 Secunia Security Advisories …
“… does -not- include the many millions of bloggers who use the WordPress.com service – the vulnerable sites are those where people have installed their own WordPress software…”
.
So I just disabled the plugins in Chrome; according to my tools icon it's now disabled for Windows too? Is this right? Am I safe now? And how can I tell if I'm already infected?
This problem is now hitting Drupal something fierce.
I've been fighting this for over a month, it is a very persistent little bugger. You can read my saga here: http://drupal.org/node/1878310
Desktop based AV systems can keep your desktop clean… but cleaning your website code is a serious pain in the backside, there seems to be no tools to clean your infected website files. What's worse – is that even after cleaning the exploit infection it can recur within minutes or hours.
Also beware of free site scan tools like Securi. They often simply reference what Google has found and flagged themselves, which can lead to you pulling your hair out because you delete the infected files or even all of the files and they still report infections because they are referncing old Google Webmaster Tools reports. These sites arent dangerous to your site but they can reference old data so they are of little use in realtime scanning to see if you've succeeded in removing the infection.
I like it . Nice information. thanks !!!
Greetings! Very useful advice within this post! It's the little changes that will make the greatest changes. Thanks a lot for sharing!
It’s hard to come by knowledgeable people on this subject, however, you sound like you know what you’re talking about! Thanks