(credits: Wayne Huang, Chris Hsiao, NightCola Lin)
To peer researchers: As we all know, researching security incidents take a lot of time and sacrifice; as if they know exactly how to make our lives harder, attackers often launch right before the weekend or a long vacation. In such an event, we often need to sacrifice our personal plans to be with our families, in order to research and publish threats fast enough.
In the past, usually right after we publish our blog and tweet the link, some other security blogs will very quickly put out a post regarding the same incident. Usually there will be a link to our original post, and we appreciate this very much.
However, recently, for some of our posts, we feel our contents were plainly copied and there was no credit linking to us. We sincerely hope this won't happen.
Together as a security community, we have a common goal--to make the Internet a safer place for everyone. It's an honor to be a part of this community, and we have a lot of respect for everyone involved. We just don't like the feeling of being taken advantage of. Thanks very much everyone!
We've been tracking an ongoing mass WordPress infection that began to take place around Oct 5th, as detected by our HackAlert Website monitoring service. Many Wordpress sites have been hit. Using technologyadvances.net as an example, we've created a video showing how an affected WordPress site can infect its visitors.
1. Location of injected script: in the index page of the compromised website.
2. Means of compromise: we believe via a combination of a) stolen WordPress passwords b) backdoors into previously compromised WordPress websites and c) Automated script-injection tools that work in combination of either (a) or (b).
3. Injected script: In the [Details] section we've included an example of an injected script. There are more than 20 variations.
4. Script packer used: Dean Edwards' packer.
5. Malware: Multiple malware will be installed (dropped) onto the visitors machines without the users' knowledge. Antivirus detection rate is around 5 out of 43 vendors on VirusTotal at the time of this writing.
6. Infected websites: A lot of WordPress websites have been hit, a sample list is as follows:
7. Malicous domains: This time, instead of owning the malicious domains themselves, the attackers are using mostly the dynamic DNS service provided by changeip.com. A sample list is as follows:
8. Malicous domains: Although all of the above domains were resolving through changeip.com, there are only a few IPs used so far, including the following:
1. 188.8.131.52 (Primary IP, AS12695, Russian Federation Moscow Digital Networks Cjsc)
2. 184.108.40.206 (AS25847, United States New York Smv)
3. 220.127.116.11 (AS18229, India Hyderabad IP Pool For Znet)
9. Exploit pack: *NOT* BlackHole, still analyzing
10. Is your WordPress infected? A very simple way is to check for the existence of the following text: a) showthread b) 72241732 c) 72291731 and if these exist, have a closer look. You can also use the HackAlert Website monitoring service to have your site monitored 24x7.
The injection has a simple chain:
1. Index page of a WordPress site is injected with script packed by Dean Edwards' packer
3. Browser loads the exploit pack from the malicious domain, hosting on a few fixed IPs including 18.104.22.168 (Russia), 22.214.171.124 (USA), and 126.96.36.199 (India).
Below is an example of an injected script:
Depending on the browsing platform used, several malicious binaries are dropped upon successful exploitation. At the time of this writing, the antivirus detection rate is 5 out of 43 vendors on VirusTotal: