Mass injection attack on WordPress blogs revealed

Fraser Howard, a principal virus researcher with Sophos, says that the attacks began a few weeks ago and they all seem to affect websites running the popular blogging platform.

A successful infection, he notes, will result in one or several .php files being dropped on the web server in multiple WordPress directories.

However, despite the .php extension, Howard says that these rogue files actually contain malicious JavaScript code that is obfuscated (hidden) using a technique that makes every one unique.

The second step of the polymorphic attack, he adds, is to inject code in legit.js files used by WordPress, like the jQuery library, with the purpose of loading the .php files along with them.

Then, when the obfuscated JavaScript makes it onto the pages parsed by the visitors' browsers, it then generates a hidden iframe element, which trips a remote load of malware into the internet users' computer.

According to Howard, reviewing a number of the affected sites, it was quickly apparent that they shared a common link – they all seemed to be running WordPress.

"In typical WordPress injection attacks, the database ends up "peppered" with malicious HTML (typically an iframe or script element to load other remote content) such that the web pages users view when browsing the site contain that malicious code. In this latest attack however, things are a little more complex", he said in his security blog.

Digging into the attack vectors, he says, it would appear that the hosting provider in question is no stranger to site hacks, as official posts on their company blog testify.

"In such cases it is imperative that in addition to cleaning up affected sites, the target of the attack is identified – be it a vulnerable server, web application or otherwise", he said.

"Only then can any vulnerabilities or insecurities be closed, to prevent future similar attacks", he added.

What’s hot on Infosecurity Magazine?