Infected WordPress Sites Connected to Trojans on Approx. 700,000 Macs

Infected WordPress Sites Connected to Trojans on Approx. 700,000 Macs


According to security software firm Kapersky, the recent Apple Mac Flashback Trojan that made such a splash in the news recently can most likely trace its roots back to infected WordPress sites.

Alexander Gostev from the Kaspersky Lab Global Research and Analysis Team explains how compromised WordPress sites were used to infect Macs, “From September 2011 to February 2012, Flashfake was distributed using social engineering only: visitors to various websites were asked to download a fake Adobe Flash Player update. It meant the Trojan was being distributed as installation archives named ‘FlashPlayer-11-macos.pkg,’ ‘AdobeFlashUpdate.pkg,’ etc.”

According to Gostev, in March 2012 approximately 700,000 computers worldwide were infected with the Trojan. He says, “The infected computers are combined in a botnet which enables cybercriminals to install additional malicious modules on them at will. One of these modules is known to generate fake search engine results. It is quite possible that, in addition to intercepting search engine traffic, cybercriminals could upload other malicious modules to infected computers – e.g. for data theft or spam distribution.”

As we reported last month, the internet security firm Sucuri stated that in the cases they analyzed, the infected sites were either running an outdated version of WordPress or a vulnerable plugin. Attackers were also said to be gaining entrance to sites via weak passwords.

(If you would like to test your site for hacks and malware, Sucuri has an easy to use site-checker.)

In somewhat related news (though not directly related to this situation), WordPress has just released WordPress 3.3.2 – which is a SECURITY release. In other words, the new version has important security updates. You would be wise to update your site as soon as possible.

Photo: Cute_Worm_In_Apple from BigStock

3 Responses

    Shawn K. Hall

    The WP 3.3.2 security update patches a vulnerability that was patched in the original (component) source over 4 months ago. Why did they wait this long to release this update?

      Joe Foley

      Shawn – I’m not sure that the latest release has anything to do with the vulnerabilities that led to the Apple Trojans. As mentioned in the post, Sucuri said last month that the problems they had seen were because of out-dated versions of WP or vulnerable plugins.

        Shawn K. Hall

        They haven’t publicly identified exactly which plugins or versions of WP were affected, citing only “outdated” scripts. The plupload and swfupload scripts are incorporated directly into WP core, and a security update for both of these scripts were released over 4 months ago. This may meet Securi.net’s generic definition of an “outdated script”, even though it’s part of the core WP platform.

        I have a lot of respect for WP and Automattic, but this was bad. If you’re incorporating someone else’s code, you should be monitoring that source for changes, *especially* for security updates. You don’t wait for a security company to send you notice of an active exploit.

        I monitor all the WP installations on each of my servers, and last November there was a huge rise in requests for these various upload script URLs. With the way the recent plupload vulnerability worked, any link *from* your site (such as thru a commenter URL) could simply check the referer, generate a hidden div with an embedded swf referencing the referring site and a simple (8 line) javascript to upload ANY file from their own site (or anywhere else on the ‘net) to yours. Since your WP ‘session’ was still active when clicking thru, the script continued to have access to all your user rights, enabling them to essentially backdoor your site in less than a second. Whoops. Sure, hindsight is 20/20, but this could have easily been avoided 4 months ago.

        With only VERY slight modification of this dozen-line script, they could have injected it into any active WP plugin and essentially used your own site to perform the same backdoor access to every visitor on your site, propagating itself between the 80 million WP sites out there. This is exactly how a simple WP worm can be created and propagated. And the only way it succeeds is thru the ability for a third-party site to access your own sites’ uploading capabilities. This is exactly why WP implemented nonces about 6 years ago.

        Trust me, this is a very big deal, and we may yet see further damage because of it. I doubt even a small fraction of WP users have updated their installations yet…it’s a beautiful weekend in most of the USA, and it was painful to have to devote so much time yesterday to installing those updates across all of the sites I manage. :( At least if people are out enjoying the weather, they’re unlikely to be browsing infected WP sites.

Comments are closed.