This week Websense Security Labs reported a massive infection of numerous WordPress installations by a new wave of malware distributing fake antivirus software. In their report, they cite that as of Monday, over 200,000 infected web pages had been discovered and close to 30,000 unique hosts had been identified. The installed Trojan hijacks the browsing session and redirects users to the site where it attempts to trick users into downloading and installing the fake antivirus software.
Websense posted their analysis of the infection on their blog, and concluded that it’s a simple series of redirections that culminates in a social engineering trick:
After a three-level redirection chain, victims land on a fake AV site. In this example, the first chain is the “.rr.nu”, and the landing site is the “.de.lv” top-level domain, but the landing site keeps changing. The rogue AV site appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans. The page looks like a Windows Explorer window with a “Windows Security Alert” dialogue box in it. The fake scanning process looks like a normal Windows application, however, it is only a pop-up window within the browser. The fake antivirus then prompts visitors to download and run their “antivirus tool” to remove the supposedly found Trojans. The executable is itself the Trojan.
It is, we think, an interesting observation that more than 85% of the compromised sites are in theUnited States, while visitors to these web sites are more geographically dispersed. We think it’s useful to note that while the attack is specific to theUS, everyone is at risk when visiting these compromised pages.
Most modern browsers are fairly hardened against allowing worms and viruses to simply install themselves through loaded pages—however, in the end, it’s the end users who makes control decisions about the computer. As a result, the strategy of much malware has shifted from viruses (which propagate themselves) to Trojans that require social engineering to trick users into running them.
In many cases a fake antivirus program is used to lessen the suspicions of the would-be mark so that they’re more likely to download and use the program. The problem also rises that some real antivirus vendors have used sleazy ads suggesting that a computer is infected and therefore needs to use their product.
As for the WordPress installs that have been infected, most of them were compromised automatically.
It’s suspected that many of the WordPress installs that have suffered infection have been older versions, happened to be running poorly-secured plug-ins, or had weak administrative passwords leaving them open to attack. The best advice to people running WordPress is to have a strong password, always upgrade WordPress to the most recent version when security alerts come out, and always vet plug-ins before installing them.
Researchers from Sucuri Security, a website integrity monitoring firm have discovered one such rogue WordPress plug-in, ToolsPack, that opens a backdoor into the installation for virus authors to use to infect websites. According to Sucuri, the plug-in masquerades as a collection of WordPress administration tools and it has been found installed on many compromised blogs.
Downloading plug-ins from trusted sources is best and keeping up with updates and news about specific plug-ins can also help avoid this sort of backdoor issue from becoming a problem.