What Isnt Websensed
what isnt websensed
IT Secure Site » Blog Archive » 3-2-1 Wordpress vulnerability leads to possible new exploit kit
3-2-1 WordPress disadvantage leads to probable new feat kit
This past weekend one compromised Web site in sold held my attention. Based on my analysis, a site was compromised since it was using an old chronicle of WordPress (3.2.1) that is exposed to publicly accessible exploits [1] [2]. The Web site injection is usually rather interesting. What is some-more engaging is a redirection sequence and ensuing feat site, that competence be a new or updated Exploit Kit to watch out for.
Our investigate indicates that whoever is behind a injection has putrescent other sites. From a investigate a series of infections is flourishing usually (100+).
The Injection
The site was injected with a following formula segment:
The above formula is a elementary transformation naught algorithm that relates a simple obfuscation technique, that when deobfuscated produces a following code:
The formula above instructs a Web browser to write an iframe to a request of a Web page:
Once a iframe is created to a Web page, the code forces a tie to a antagonistic site, that downloads calm to a user's appurtenance (all though a user's accede or knowledge). The antagonistic Web site serves a page that we assume includes the Incognito Exploit Kit, since one of Incognito's characteristics is that it uses showthread.php as a Web page filename to offer user exploits. We are still not certain if this is Incognito 2.0 or a totally different feat kit. Most kits, many like Incognito, exam a user's browser and/or OS form and chronicle and offer a user several exploits, e.g. PDF exploits, or browser specific bugs. But this Exploit Kit appears to offer usually a next Java exploit:
New or Updated Exploit Kit?
The Java feat being served is CVE-2011-3544 (Oracle Java Applet Rhino Script Engine Remote Code Execution), that many Exploit Kits adopted in Dec 2011 because it is cross-platform and exploits a design flaw. Normally, kits use a accumulation of exploits, though as can be seen in a shade shot below, regardless of what OS or browser we used for testing, this Exploit Kit attempted to feat ONLY a Java Runtime Environment (JRE). It did not attempt any other exploit.
Exploit and Dropped Malware
The Java feat that is used isn't a normal aegis overflow, it takes advantage of a design smirch within Rhino, a JavaScript engine that runs underneath a JVM and interacts with Java applets
An assailant can bypass a Rhino scripting engine insurance by generating an blunder object, which runs in elevated privileges and executes formula that disables a Security Manager. Once a Security Manager is disabled, a assailant can govern formula with full permissions.
If a user isn't patched and is therefore vulnerable to CVE-2011-3544 (see patch sum here), dual Java files (VirusTotal links [1] [2]) dump Tdss (Virus Total couple [1] = 9/43). The Tdss rootkit is one of a stealthiest rootkits in a wild. Its idea is to acquire sum control of putrescent PCs and use them as zombies for a botnet.
Prevalence of Injection Campaign
Since we started tracking this infection this past weekend, we have detected that this is an infection campaign. The Websense® ThreatSeeker® Network has found 100+ compromised Web sites, all with similar infection characteristics. The compromised Web sites all share these traits:
- Running WordPress 3.2.1
- Force a expostulate by download around iframe to a same antagonistic set of domains hosting a PHP Web page in a form of: [subdomain].osa.pl/showthread.php?t=.*
- Attempt exploitation using CVE-2011-3544
- If exploitation is successful, designation of a Tdss rootkit on a user's machine
Here is an instance inventory of sites that have been infected:
The series of Web pages using a vulnerable, targeted chronicle of Word Press 3.2.1 is in a hundreds of thousands. It is different during this time how a enemy are selecting that sites to infect.
What To Do If You Are Running WordPress 3.2.1
If you're using WordPress 3.2.1, we suggest that:
- You ascent to a latest fast version of WordPress.
- Check a source formula of all your Web pages to see if you've been putrescent (see a formula above). If we have been infected, be certain to ascent WordPress while simultaneously removing a injected formula so that your Web pages aren't simply being reinfected after being cleaned.
Notifying Compromised Web site owners
As a matter of practice, we try to notify certain sites of their infection. First we use a email residence that appears in a "Contact Us" territory of a site, and afterwards we use a email residence in a whois registration database. If those attempts are unsuccessful, we try to forewarn a site owners by their facebook page (we have had really good success with this technique). Our recommendation when attempting to take down antagonistic URLs is to follow a best practices described in a request published by StopBadWare.org (found here).
Websense business are stable from these threats by ACETM, our Advanced Classification Engine.
Thanks,
Stephan Chenette – Principal Security Researcher
Stephan Chenette
Leave a Comment
0 件のコメント:
コメントを投稿
登録 コメントの投稿 [Atom]
<< ホーム