14 DAY TRIAL // The WordPress site hacks that were recently witnessed by a lot of users and webmasters relied on a vulnerability in TimThumb which allowed the attackers to easily execute arbitrary code.
Avast researchers investigated the situation and concluded that the Blackhole exploit kit, developed by Russians and available for anyone to purchase in the online underground markets for no more than $1,500 (1,050 EUR), was behind the whole operation.
Because the malevolent exploit kit cannot be placed on a website without it presenting a vulnerability, the masterminds behind the operation came up with the idea of using an old flaw in TimThumb, a simple PHP script utilized for resizing images.
The weakness in the script would allow an attacker to upload and execute a malicious piece of code in the cache directory.
Another method implies stolen passwords which are then used to access the site's FTP to place two JavaScript files that will lead the attack on unsuspecting website visitors.
These scripts make sure that the first iframe on a page is replaced with a rogue element that redirects users to a location that contains the Blackhole exploit kit. The victim is then served a JAR file, that will deploy other malicious downloads to the infected system.
“WordPress is not immune to exploitation – a fact driven by its overall popularity and the wide number of available versions,” said AVAST Senior Virus Lab researcher Jan Sirmer.
The main issue however is not generated by the weaknesses in WordPress itself but by a lack of proper password management which in many cases will allow an attacker to access the FTP server of a site, this being the easiest way to take it down and plague it with all sorts of nasty elements.
“Stronger login and password keys, alone or together with two-factor authentication, are options that system administrator should use when working with third-party IT managers.” said Avast Senior Virus Lab researcher Jan Sirmer.