CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
December 1st, 2010

WordPress Blogs Targeted By Polymorphic Injection Attack

Security researchers have identified a sophisticated mass injection attack that uses polymorphic obfuscation and so far has targeted WordPress blogs at an US-based hosting provider.

According to Fraser Howard, a principal virus researcher at Sophos, the attacks began a few weeks ago and they all seem to affect websites running the popular blogging platform. Successful infection will result in one or several .php files being dropped on the Web server in multiple WordPress directories.

However, despite the .php extension, these rogue files actually contain malicious JavaScript code obfuscated with a technique that makes every one unique. In the security world this is known as polymorphic code and is used to evade antivirus software and intrusion detection systems.

The second step of the attack is to inject code in legit .js files used by WordPress, like the jQuery library, with the purpose of loading the .php files along with them.

Finally, when the obfuscated JavaScript makes it onto the pages parsed by the visitors’ browsers, it generates a hidden iframe element. This element is meant to load malicious content from remote servers in an attempt to infect computers with malware.

“Earlier today I queried all of the sites that we have seen hit in this attack over the past 7 days, identifying almost 600,” writes Mr. Howard. “When looking at the GeoIP data for these sites I found that 97% of them were hosted by the same provider!” he adds.

The researcher also notes that the hosting provider, which he intentionally doesn’t name, was involved in similar incidents in the past.

When considering this and the fact that even WordPress installations running the latest version were affected, there is a strong possibility that the vulnerability lies with the company’s own infrastructure and not the blogging platform itself.

Credit: Softpedia.com News, Sophos Naked Security Blog

Share this item with others:

More on CyberInsecure:
  • WordPress Multiple SQL Injection Vulnerabilities
  • WordPress 2.6.2 Released Due To PHP Weakness That Might Lead To Attack
  • WordPress Doorway Spam Attacks
  • WordPress Cookie Integrity Protection Allows Unauthorized Access
  • WordPress Parameter Directory Traversal Vulnerability

    • Posted in Breaches And Incidents, Hacked, Malware, Mass Web Attacks, Software, Vulnerabilities | Print This Post Print This Post

    This entry was posted on Wednesday, December 1st, 2010 at 5:07 pm and is filed under Breaches And Incidents, Hacked, Malware, Mass Web Attacks, Software, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: WordPress Blogs Targeted By Polymorphic Injection Attack

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
    Click to hear an audio file of the anti-spam word

    « «
    » »