Network Security, Vulnerability Management

WordPress attacks try to infect users with dangerous rootkit

The number of WordPress blogs that have been compromised to hurl malware onto the machines of unsuspecting users is gradually growing, security researchers said this week.

The attacks are taking advantage of website owners who are hosting an older -- and vulnerable -- version of WordPress, 3.2.1, which was updated in December but is still widely in use.

Attackers are using automated scanners to find vulnerable sites, then they are taking advantage of input validation errors to embed IFRAMEs, which redirect users to exploit sites, all behind-the-scenes without the victim even noticing.

"You will not see the address bar in your web browser change," Stephan Chenette, principal security researcher at Websense, told SCMagazine.com on Tuesday. "It happens in milliseconds."

Websense researchers have detected hundreds of WordPress installations that have been compromised to lead users to malicious sites containing the Incognito exploit kit, which serves malicious Java code if users aren't patched to the latest version of the software, Chenette said. To compound matters, the exploit includes the TDSS rootkit, considered one of the most dangerous pieces of malware on the web because of its ability to hide at the lowest level of the operating system and avoid detection by anti-virus systems.

If infected, wiping the hard drive clean may be the only option.

"The recommendation is to reinstall your operating system at that point," Chenette said.

There appears to be concurrent WordPress attacks underway, which use different exploits, as security firm M86 Security has spotted hundreds of infected sites that are leading to the Phoenix exploit kit.

Assaults on sites running WordPress to spread exploits is not uncommon.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.