AVAST warns site owners to "check your plugins" as infections spike
PRAGUE, Czech Republic, October 31, 2011 – Researchers at the AVAST Virus Labs in Prague have seen an increase in malware infections within WordPress sites, an open-source application frequently used by bloggers and self-publishers, due to a vulnerability in a popular image plugin and loose credential management.
In early October, researchers from AVAST were contacted by several users via the CommunityIQ system that www.theJournal.fr, the online site for The Poitou-Charentes Journal, had been infected. In addition, the site operator directly contacted AVAST to determine why the avast! antivirus program was blocking visitors from their site which had been purportedly "checked and clean" by an external scanner.
The AVAST research team detected similar infections in other WordPress sites. "The Poitou-Charentes Journal is just one part of a much bigger attack," said AVAST Senior Virus Lab researcher Jan Sirmer. "These compromised sites are part of a network which redirected vulnerable users to sites distributing an array of malware."
Mr. Sirmer worked with the site owner to gather more information on how this web site had been compromised and where vulnerable users were being redirected to as they visited the site. He was able to determine that the source of this infection was a PHP file (UPD.PHP) uploaded through a security vulnerability in Timthumb, an image resizer used by developers to create themes for WordPress sites.. It is believed that a hacker compromised the weak login credentials used by the WordPress administrators for the hosting servers’ FTP prior to uploading and executing PHP files.
The infection was the work of cybercriminals using the Blackhole Toolkit, a set of malware tools available on the black market. "TheJournal.fr and its readers were certainly not the only targets, this is a larger issue of WordPress security," said Mr. Sirmer. We’ve registered 151,000 hits at one of the locations where this exploit redirected users. We also blocked redirects from 3,500 unique sites on August 28 – 31 – the first three days that this infection surfaced - that led to this exploit. During September, we blocked redirects from 2,515 sites and I expect October results will be similar. More details on the Toolkit are in Mr. Sirmer’s blog post.
"WordPress is not immune to exploitation – a fact driven by its overall popularity and the wide number of available versions," said Mr. Sirmer. However, he stressed that this was not a specific issue with WordPress itself, but the result of an outdated program plugin and poor password management by site administrators. This issue highlights that simple-to-crack login and password details for the underlying FTP servers can lead to problems. "Stronger login and password keys, alone or together with two-factor authentication, are options that system administrator should use when working with third-party IT managers."