Hackers Infect WordPress 3.2.1 Blogs withTDSS Rootkit

. February 1, 2012 . 0 Comments

Hackers are using WordPress 3.2.1 Blogs to distribute TDSS Rootkit,writes Lucian Constantin on PCWorld

“It’s not clear how the websites are being compromised, but there are publicly known exploits for vulnerabilities that affect WordPress 3.2.1, which is an older version of the popular blog publishing platform.

Once they gain unauthorized access to a blog, the attackers inject malicious JavaScript code into its pages in order to load a Java exploit from a third-party server.

“From our analysis the number of infections is growing steadily (100+),” said Websense principal security researcher Stephan Chenette in a blog post on Monday. The company’s research into this mass code injection campaign indicates that whoever is behind it is experienced.

The Java vulnerability exploited in the attack is known as CVE-2011-3544 and allows the remote execution of arbitrary code. In this case, the attackers are leveraging it to install a version of the TDSS rootkit on the computers of people visiting the website.

“The TDSS rootkit is one of the stealthiest rootkits in the wild,” Chenette said. “Its goal is to acquire total control of infected PCs and use them as zombies for its botnet.”

The CVE-2011-3544 vulnerability started being targeted by most exploit toolkits in December 2001. These attack frameworks usually contain exploits for vulnerabilities in several software products like Adobe Reader, Flash Player and Java.

The Websense researchers are not sure if this mass code injection campaign uses an updated toolkit or an entirely new one, but experts from security firm M86 Security have tied recent WordPress 3.2.1 compromises to the Phoenix Exploit Kit.

Category: WordPress

Leave a Reply

Your email address will not be published. Required fields are marked *