Daily cyber threats and internet security news: network security, online safety and latest security alerts
December 1st, 2010

WordPress Blogs Targeted By Polymorphic Injection Attack

Security researchers have identified a sophisticated mass injection attack that uses polymorphic obfuscation and so far has targeted WordPress blogs at an US-based hosting provider.

According to Fraser Howard, a principal virus researcher at Sophos, the attacks began a few weeks ago and they all seem to affect websites running the popular blogging platform. Successful infection will result in one or several .php files being dropped on the Web server in multiple WordPress directories.

However, despite the .php extension, these rogue files actually contain malicious JavaScript code obfuscated with a technique that makes every one unique. In the security world this is known as polymorphic code and is used to evade antivirus software and intrusion detection systems.

The second step of the attack is to inject code in legit .js files used by WordPress, like the jQuery library, with the purpose of loading the .php files along with them.

Finally, when the obfuscated JavaScript makes it onto the pages parsed by the visitors’ browsers, it generates a hidden iframe element. This element is meant to load malicious content from remote servers in an attempt to infect computers with malware.

“Earlier today I queried all of the sites that we have seen hit in this attack over the past 7 days, identifying almost 600,” writes Mr. Howard. “When looking at the GeoIP data for these sites I found that 97% of them were hosted by the same provider!” he adds.

The researcher also notes that the hosting provider, which he intentionally doesn’t name, was involved in similar incidents in the past.

When considering this and the fact that even WordPress installations running the latest version were affected, there is a strong possibility that the vulnerability lies with the company’s own infrastructure and not the blogging platform itself.

Credit: News, Sophos Naked Security Blog

Share this item with others:

More on CyberInsecure:
  • WordPress Multiple SQL Injection Vulnerabilities
  • WordPress 2.6.2 Released Due To PHP Weakness That Might Lead To Attack
  • WordPress Doorway Spam Attacks
  • WordPress Cookie Integrity Protection Allows Unauthorized Access
  • WordPress Parameter Directory Traversal Vulnerability

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: WordPress Blogs Targeted By Polymorphic Injection Attack

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word