Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Wordpress Plug-in Related Infections Increase

Avast Software : 01 November, 2011  (Technical Article)
AVAST is warning Wordpress users to check their blog-site image plugins for vulnerabilities to the Blackhole malware
Wordpress Plug-in Related Infections Increase
Researchers at the AVAST Virus Labs in Prague have seen an increase in malware infections within WordPress sites, an open-source application frequently used by bloggers and self-publishers, due to a vulnerability in a popular image plugin and loose credential management.

In early October, researchers from AVAST were contacted by several users via the CommunityIQ system that the online site for The Poitou-Charentes Journal, had been infected. In addition, the site operator directly contacted AVAST to determine why the avast! antivirus program was blocking visitors from their site which had been purportedly “checked and clean” by an external scanner.

The AVAST research team detected similar infections in other WordPress sites. “The Poitou-Charentes Journal is just one part of a much bigger attack,” said AVAST Senior Virus Lab researcher Jan Sirmer. “These compromised sites are part of a network which redirected vulnerable users to sites distributing an array of malware.”

Mr Sirmer worked with the site owner to gather more information on how this web site had been compromised and where vulnerable users were being redirected to as they visited the site. He was able to determine that the source of this infection was a PHP file (UPD.PHP) uploaded through a security vulnerability in Timthumb, an image resizer used by developers to create themes for WordPress sites.. It is believed that a hacker compromised the weak login credentials used by the WordPress administrators for the hosting servers’ FTP prior to uploading and executing PHP files.

The infection was the work of cybercriminals using the Blackhole Toolkit, a set of malware tools available on the black market. “TheJournal.fr and its readers were certainly not the only targets, this is a larger issue of WordPress security,” said Mr. Sirmer. We’ve registered 151,000 hits at one of the locations where this exploit redirected users. We also blocked redirects from 3,500 unique sites on August 28 – 31 – the first three days that this infection surfaced - that led to this exploit. During September, we blocked redirects from 2,515 sites and I expect October results will be similar.

Mr Sirmer uncovered and removed several JavaScript infections and a backdoor Trojan on TheJournal.fr site during his investigation. In this instance, the problem went unnoticed because the site was hosted and managed by a third party. “The site owner found out about the infection only because visitors to the site running avast! were blocked from visiting the site as part of their protection. “So even if you outsource IT services, it is often a good idea to visit your own blog with an AV that has an active virus scan to make sure that it is not infected or being blocked,” he said. “And, change your FTP passwords, and don’t save them on your PC because this malware is often able to unpack the passwords from the usual FTP clients.”

“WordPress is not immune to exploitation – a fact driven by its overall popularity and the wide number of available versions,” said Mr Sirmer. However, he stressed that this was not a specific issue with WordPress itself, but the result of an outdated program plugin  and poor password management by site administrators. This issue highlights that simple-to-crack login and password details for the underlying FTP servers can lead to problems. “Stronger login and password keys, alone or together with two-factor authentication, are options that system administrator should use when working with third-party IT managers.”
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo