AVAST warns site owners to “check your plugins" as infections spike
Researchers at the AVAST Virus Labs in Prague have seen an increase in malware infections within WordPress sites, an open-source application frequently used by bloggers and self-publishers, due to a vulnerability in a popular image plugin and loose credential management.
In early October, researchers from AVAST were contacted by several users via the CommunityIQ system that www.theJournal.fr, the online site for The Poitou-Charentes Journal, had been infected. In addition, the site operator directly contacted AVAST to determine why the avast! antivirus program was blocking visitors from their site which had been purportedly “checked and clean” by an external scanner.
The AVAST research team detected similar infections in other WordPress sites. “The Poitou-Charentes Journal is just one part of a much bigger attack,” said AVAST Senior Virus Lab researcher Jan Sirmer. “These compromised sites are part of a network which redirected vulnerable users to sites distributing an array of malware.”
Mr. Sirmer worked with the site owner to gather more information on how this web site had been compromised and where vulnerable users were being redirected to as they visited the site. He was able to determine that the source of this infection was a PHP file (UPD.PHP) uploaded through a security vulnerability in Timthumb, an image resizer used by developers to create themes for WordPress sites.. It is believed that a hacker compromised the weak login credentials used by the WordPress administrators for the hosting servers’ FTP prior to uploading and executing PHP files.
The infection was the work of cybercriminals using the Blackhole Toolkit, a set of malware tools available on the black market. “TheJournal.fr and its readers were certainly not the only targets, this is a larger issue of WordPress security,” said Mr. Sirmer. We’ve registered 151,000 hits at one of the locations where this exploit redirected users. We also blocked redirects from 3,500 unique sites on August 28 – 31 – the first three days that this infection surfaced - that led to this exploit. During September, we blocked redirects from 2,515 sites and I expect October results will be similar. More details on the Toolkit are in Mr. Sirmer’s blog post.
Mr. Sirmer uncovered and removed several JavaScript infections and a backdoor Trojan on TheJournal.fr site during his investigation. In this instance, the problem went unnoticed because the site was hosted and managed by a third party. “The site owner found out about the infection only because visitors to the site running avast! were blocked from visiting the site as part of their protection. “So even if you outsource IT services, it is often a good idea to visit your own blog with an AV that has an active virus scan to make sure that it is not infected or being blocked,” he said. “And, change your FTP passwords, and don’t save them on your PC because this malware is often able to unpack the passwords from the usual FTP clients.”
“WordPress is not immune to exploitation – a fact driven by its overall popularity and the wide number of available versions,” said Mr. Sirmer. However, he stressed that this was not a specific issue with WordPress itself, but the result of an outdated program plugin and poor password management by site administrators. This issue highlights that simple-to-crack login and password details for the underlying FTP servers can lead to problems. “Stronger login and password keys, alone or together with two-factor authentication, are options that system administrator should use when working with third-party IT managers.”