WordPress sites serve as launching pad for Flashback

By Marcos Colon on Apr 20, 2012 8:19 AM
Filed under Security

Correlation between infected sites and prolific trojan.

The malware responsible for infecting more than 650,000 Mac computers worldwide can thank compromised WordPress sites for its spread, experts say.

The Flashback trojan, first discovered in February, infiltrated Mac OS X platforms through a now-patched Java vulnerability, giving attackers the ability to perform a number of mischievous actions, including stealing data, installing additional malware and intercepting search engine traffic.

To spread the malware, its authors relied on infecting WordPress sites so that when unsuspecting users visited, they were silently redirected to a site that installed Flashback, a tactic known as a drive-by download, Alexander Gostev, head of Kaspersky Lab's global research and analysis team, said Thursday in a blog post.

From February to March, thousands of sites created on the popular publishing platform were poisoned, Gostev said. Researchers believe the sites' webmasters were running vulnerable versions of WordPress.

“Websense put the number of affected sites at 30,000, while other companies say the figure could be as high as 100,000,” Gostev wrote. “Approximately 85 percent of the compromised WordPress sites are located in the United States.”

In late January, Websense began tracking the outbreak on WordPress, one of several that have appeared in recent months and years.

The Kaspersky analysis states that contrary to popular belief, the invulnerability of the Mac OS X is a myth. It is, in fact, no safer than any other operating system. The size of the botnet has dramatically decreased in April as a number of patches released by Apple have cooled the activity.

Although the main infection vectors are the hacked sites, user oversight is ultimately to blame, said Roel Schouwenberg, senior researcher for Kaspersky Lab.

“WordPress is a very popular platform for attackers to target,” he said. “There's not a whole lot WordPress can do if people neglect to update their WordPress or plug-in software.”

It's unclear what the Flashback botnet is being used for. Currently, researchers have not received reports signaling fraudulent activity, Shouwenberg said.

Representatives from Apple and WordPress could not be reached for comment.

This article originally appeared at scmagazineus.com

 
Follow us on Facebook and Twitter
 

Copyright © SC Magazine, US edition

WordPress sites serve as launching pad for Flashback
 
 
 
 
 
Top Stories
Dicker Data on track for billion-dollar goal
Revenue approaches $700m for partial year running Express Data.
 
Datacom's search for a new Australian boss is over
Appointment comes as Kiwi firm profits surge – no thanks to Aussie business.
 
UXC "record" sales hampered by costly project dramas
Margins squeezed but no "race to the bottom".
 
Sign up to receive CRN email bulletins
   FOLLOW US...
Polls
My business strategy is to:

Latest Comments
CRN Magazine

Issue: 330 | August 2014

CRN Magazine looks in-depth at the emerging issues and developments for the channel, and provides insight, analysis and strategic information to help resellers better run their businesses.