Two-week-old WordPress malware attack is blossoming into a real threat

Posted on Posted in Hacker News

MALWARE DETECTING, preventing and protecting company Sucuri has warned the world about a problem in WordPress that is two weeks into the threat charts already and is rising rapidly.

wordpress-logo-170x170The malware is called VisitorTracker, and its aim should be self-explanatory. Sucuri said that incidents of infection have had a sharp uptick in recent days, and the firm – which reported on it just two weeks ago – hopes that its reprise and update of the information will inform WordPress and encourage it to take action to mitigate the problem.

“We initially shared our thoughts on it via our SucuriLabs Notes, but as the campaign has evolved we have been able to decipher more information as we investigate the effects on more compromised sites,” explained Sucuri CTO Daniel Cid in a blog post.

“This post should serve as a resource to help WordPress administrators (i.e. webmasters) in the WordPress community.”

It may well do. The information suggests an evolving and interesting malware system that Cid said could be used to trick web users into trusting the most devious of webpages.

“This malware campaign is interesting. Its final goal is to use as many compromised websites as possible to redirect all their visitors to a Nuclear Exploit Kit landing page. These landing pages will try a wide variety of available browser exploits to infect the computers of unsuspecting visitors,” he said.

“If you think about it, the compromised websites are just a means for the criminals to get access to as many endpoint desktops as they can. What’s the easiest way to reach out to endpoints? Websites, of course.”

Sucuri added that it is trying to trace down an access point, but that it might be one of any of the many plugins that are released for the platform.

“We detected thousands of sites compromised with this malware just today and 95 percent of them are using WordPress. We do not have a specific entry point determined yet, but it seems to be a campaign targeting the latest vulnerabilities in plugins,” the firm said.

“Out of all the sites we detected to be compromised, 17 percent of them already got blacklisted by Google and other popular blacklists.”

Quelle: TheInquirer