14 DAY TRIAL // Security researchers have identified a sophisticated mass injection attack that uses polymorphic obfuscation and so far has targeted WordPress blogs at an US-based hosting provider.
According to Fraser Howard, a principal virus researcher at Sophos, the attacks began a few weeks ago and they all seem to affect websites running the popular blogging platform.
Successful infection will result in one or several .php files being dropped on the Web server in multiple WordPress directories.
However, despite the .php extension, these rogue files actually contain malicious JavaScript code obfuscated with a technique that makes every one unique.
In the security world this is known as polymorphic code and is used to evade antivirus software and intrusion detection systems.
The second step of the attack is to inject code in legit .js files used by WordPress, like the jQuery library, with the purpose of loading the .php files along with them.
Finally, when the obfuscated JavaScript makes it onto the pages parsed by the visitors' browsers, it generates a hidden <iframe> element.
This element is meant to load malicious content from remote servers in an attempt to infect computers with malware.
“Earlier today I queried all of the sites that we have seen hit in this attack over the past 7 days, identifying almost 600,” writes Mr. Howard.
“When looking at the GeoIP data for these sites I found that 97% of them were hosted by the same provider!” he adds.
The researcher also notes that the hosting provider, which he intentionally doesn’t name, was involved in similar incidents in the past.
When considering this and the fact that even WordPress installations running the latest version were affected, there is a strong possibility that the vulnerability lies with the company’s own infrastructure and not the blogging platform itself.