It seems that in the brave new world of the Intertubes, crime does pay. It pays very well indeed, in fact. The network I documented earlier has morphed and changed radically in the past few weeks, and become larger and more resilient. In addition, a new attack vector has emerged: attacks on old, outdated versions of WordPress weblog software.
I know that a lot of folks on my flist maintain their own WordPress blogs. Please, please, please, if you run WordPress or know somebody who does, update your WordPress software. It's quick (takes about five minutes) and easy, and all versions of WordPress prior to 2.5 should be considered completely insecure.
In the past couple of weeks, I've noticed a huge surge in WordPress hack attacks, to the point where last Monday there were more hacked WordPress systems than hacked iPower Web sites that were being used to redirect folks to Eastern European virus downloaders. It seems quite likely that the hackers are using automated tools to find and automatically attack old WordPress installs, though one person I've spoken with says he believes his WordPress install was attacked through an insecure FTP username and password that was brute-force guessed as well.
The network that is being used to distribute viruses is being fed from a lot of different sources: hacked iPower sites (of course), hacked WordPress installations, Google Groups set up as malicious redirectors, custom attack domains piggybacked on top of legitimate Web URLs, and hijacked phpBB and phpNuke installs seem to be the most common. For an update on what's going on in the seamy computer underground, and a new map of the computer distribution network:
The updated virus distribution map as it existed last Monday (I've been sick for the last week and a half, so I haven't got 'round to writing this post) looks something like this.
A lot has changed since I constructed the first map. The biggest single difference is there are now a large number of sites that serve the function of www.traffloader.info: they choose a virus dropper at random to redirect a user to.
The network still works in pretty much the same way. The hackers place redirectors on hacked iPower sites, or on hacked WordPress, phpNuke, or phpBB sites, or the hackers hack the DNS entry for a Web site such as www.unicmanila.org (the official United Nations Web site for the Philippines) to add a new record for http://making-gay-porn.unicmanila.org/ (which redirects to one of the traffic handlers that in turn redirects to a virus dropper).
WARNING *** WARNING *** WARNING
Many of the links here and elsewhere in this post are live. As of the time of this writing, they redirect to active virus distributors which can and will infect unpatched Windows computers, and in one case will try to infect Mac computers, with a virus. DO NOT click on these links if you don't know what you're doing. DO NOT allow any of these sites to download or install software onto your computer.
A visitor gets nto the network by doing a Google search, which turns up one of the hackers hacked sites. When he clicks on the Google result, he is sent to a traffic handling Web site. In the past, there was only one of these: traffloader.info, which kept a record of the Google search the user used and would then pick a virus dropper at random to send the user to. Doing this has several advantages: it places an extra step between the hacked Web site and the place where the virus comes from, making it more difficult to trace the source of the infection; and if one virus dropping Web site goes offline or is taken down, traffloader.info will simply start redirecting people to a different virus dropping Web site.
The traffloader.info URL itself, though, is a single point of failure. If traffloader.info is ever taken down (unlikely, since it's hosted in Eastern Europe and registered through crime-friendly, hacker-friendly registrar EST Domains), the whole network fails. And the hackers, apparently, have realized this.
In the past several weeks, many new Web sites have come online that do the same thing that traffloader.info does: they take a visitor, log the Google search the visitor made to get to a hacked site, then send the visitor off to another site that drops a virus. I've found several traffloader.info mirrors that are up and running as of the time of this writing:
traffloader.info/go.php (registrar: estdomains)
traff-mega.net/in.php (registrar: estdomains)
blyapizdets.info/go.php (registrar: estdomains)
kentford.cn/in.php (registered in China; currently using ns1.palaroid.info as name server, which is registered by estdomains)
So traffic comes in through a hacked Web site and goes to one of these sites. From there, it is redirected to one of the virus dropper sites, which have (as the chart above shows) exploded in number.
Some of the hacked WordPress installs don't redirect to a traffic handler site, but instead redirect directly to a virus dropper hosted at sexlookupworld.com directly.
Interestingly, some of the hacked WordPress sites also redirect, not to a virus dropper at all, but to www.cams.com (an affiliate pay-for-access porn Webcam site) or to xml.valary.com (which is a front-end for several pay-per-search search engines). It's possible the hackers responsible for the iPower intrusions and the WordPress hacks are also looking to expand their revenue stream by using the hacked Web sites to redirect to pay-per-search engines and old-fashioned affiliate porn sites. It's also possible that these particular hacks are the work of some other party, who has noticed the vulnerable WordPress installs (or possibly is using the same automated hacking tools that the virus guys are using) to try to piggyback on the WordPress exploits.
Another new twist is poisoned Google Groups. The hackers have set up a large number of Google Groups, which they are advertising by conventional and Weblog spam. These Google Groups have names like
http://groups.google.com/group/orgasm-video/web/free-teen-orgasm-movie
and
http://groups.google.com/group/forced-sex-video/web/free-anal-rape-video
and
http://groups.google.com/group/family-sex-video/web/free-father-daughter-sex-video
Visiting the home page of any of these Google Groups reveals a link to sexlookupworld.com, which (predictably) attempts to install a virus on the visitor's system.
What's also interesting is that the number of payload sites which examine the visitor's browser user-agent and automatically install Mac or Windows malware has not proliferated. As of the time of this writing, I have identified only one site that tries to download Mac malware; the additional new payload sites still download Windows-only malware. I don't know if this means that the hackers have decided the number of Mac users who will infect themselves is too small to pay attention to, or if they simply have had their hands full expanding the network.
The new network is far more resilient than the old network was, and no longer has a single point of failure. It also has a much larger number of inputs, and more ways to trap the unwary into infecting themselves. The explosion of compromised WordPress installs is especially worrisome.
Folks, running software on your own Web server means vigilance. It's the price you pay for getting your own blog--now you own all the security concerns. I cannot stress this enough: If you run software, ANY software, on your server, you MUST be diligent in keeping up with security patches. As of version 2.5, WordPress now automatically notifies you of security updates when you log in to the administrator area. And again, if you are running any version of WordPress prior to 2.5 in any configuration, you should assume you can be pwn3d at will, and that potentially everything on your Web server is up for grabs. The hackers don't even have to target you in specific; judging from the number of compromised WordPress installs I've seen, they simply have to run automated programs that scan the Web searching for insecure WordPress installs.
Even the Boston Public Library's WordPress install has been hacked, and is currently hosting redirectors to virus droppers with URLs such as
http://blog.bpl.org/brls/wp-content/uploads/2007/02/incest-hentai-22_2_08.html
This suggests the attackers have gained full access to the wp-content/uploads directory and can upload HTML files to it at will.
Edit: Mere minutes after posting this, I discovered another source of inputs to the network: compromised, fake, or otherwise dodgy Facebook profiles. Lots and lots and lots of them. Either within the profiles themselves, or within comments on the profile pages, I've seen a very large number of links to sexlookupworld.com.