Most reports involve Joomla, but WordPress also seems to be affected. “We've gotten some reports and discussion around many Joomla (and some WordPress) sites exploited and hosting IFRAMES pointing to bad places,” noted John Bambanek of the ISC Storm Center. The attack, he says, doesn’t seem to be centered on a single vulnerability, “but some tool that's basically firing a bunch of Joomla and WordPress exploits at a given server and hoping something hits.”
In Germany, Heise online contacted the German CERT (CERT-Bund), which confirmed that the attacks have been observed in Germany over the last few days. The attack, said CERT-Bund’s Thomas Hungenberg, involves exploiting known vulnerabilities on the two systems to inject an iFrame that takes visitors to malicious sites, primarily to infect the user’s computer with fake anti-virus malware.
“The injected code,” reports Heise online, “is a PHP shell that is then used to infect JavaScript files such as /media/system/js/mootools.js or /media/system/js/caption.js with new iFrames on a regular basis.” Fake AV, which pretends to find multiple malware on the user’s computer (and might put some there in the process) makes money for the criminals by demanding payment to remove the probably fictitious malware.
But it seems that this particular attack seeks to make further profit through the scheme known as Traffic Distribution Systems (TDS). Symantec described the process in a blog last year. It involves ‘selling’ clicks, which the ‘broker’ then sells on to the highest bidder. More recently, Daniel Cid, CTO at Securi, described a similar problem found on a compromised site. This also involved iFrames and the same SutraTDS System. “Using a TDS is a very simple way for the bad guys to make money. They compromise a site and redirect users of that hacked site to a TDS, where they receive an affiliate commission for the traffic sent.”
The case he discussed in September, and the new campaign reported by the Storm Center, seem remarkably similar. “This Traffic Distribution System (TDS) redirects the user randomly to affiliate sites (pharmacy / Pornography) or malware domains pushing off a Fake AV (antivirus),” which seems to be exactly the same as today’s reports.
David Harley, a senior research fellow with ESET, suggested that “the real interest is in whether there really is some form of mass exploit tool being used: if so, it's possible that it will eventually prove practical to detect the tool rather than (or as well as) the exploits, which could be a bit of a win for the security industry, eventually.” But, he warns, “In the meantime, sites running Joomla and WordPress platforms need to ensure that they're keeping up to date on patches. But that's always the case: these are platforms the bad guys are always going to try to subvert because of their sheer popularity.”