Compromised WordPress Sites Redirecting to Black Hole Exploit Kit Servers

The Black Hole exploit kit is really becoming a serious pain in the neck for people trying to use the Internet. At some point, it may become easier to start a list of the URLs that aren’t hosting the exploit kit, rather than the ones that are. For the time being, the latest entry in the latter category is a group of thousands of WordPress blogs that have been compromised and are now redirecting visitors to sites serving the Black Hole exploit kit.

Blackhole WordPressThe Black Hole exploit kit is really becoming a serious pain in the neck for people trying to use the Internet. At some point, it may become easier to start a list of the URLs that aren’t hosting the exploit kit, rather than the ones that are. For the time being, the latest entry in the latter category is a group of thousands of WordPress blogs that have been compromised and are now redirecting visitors to sites serving the Black Hole exploit kit.

The ongoing attack is using a combination of tactics to compromise the WordPress blogs. Researchers at Avast found that attackers have been using stolen or guessed FTP credentials on the servers that host the blogs in order upload a malicious PHP file. That file will download other malicious code. The attackers also are exploiting a known vulnerability in the TimThumb image resizing utility used on many blogs to upload the malicious code.

Once the code is on a compromised site, as visitors hit the site the code will generate iframes that will redirect users to a remote site that is hosting the Black Hole kit. At that point, the users will have the pleasure of discovering which of her applications is vulnerable to the client-side exploits contained in Black Hole. The Avast researchers said that they had seen more than 150,000 hits on one of the sites to which victims are being redirected.

“The bad guys are using a security vulnerability in non-updated TimThumb. This allows attackers to upload and execute arbitrary PHP code in the TimThumb cache directory which will download other malicious files. But this is not the only way for example they use stolen passwords to direct FTP changes. In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js,” Avast researcher Jan Sirmer wrote in an analysis of the attack.

Black Hole is one of a handful of widely available exploit kits that any attacker who can afford the price of entry can use to conduct his own operations. The full version of Black Hole sells for about $1,500 normally, although, for the budget-minded attacker, there are free versions available that don’t include all of the same features and exploits as the full one. Other exploit kits, such as Eleonore, also are available, but Black Hole has emerged as the most widely used one in recent months.

Avast’s research found that there were 3,500 unique sites redirecting users to the Black Hole sites in the first three days of the attack, and that number was around 2,500 for all of September. Attackers in these mass infection campaigns often will target platforms such as WordPress because not only are there millions of potential targets, but because those blogs often are hosted, compromising one machine can lead to infections on a large number of individual sites.

Suggested articles

Discussion

  • Anonymous on

    Hi, will the original owners of these blogs know if their site had been exploited?

    And is WordPress informed about these issues?

  • Jan van Niekerk on

    Wordpress themes suck. There are so many with ancient versions of timthumb.php, and they will never be updated. Think you're going to stop the attack with mod_security? Nope, you disabled mod_security so that stupid timthumb.php would work.
  • Anonymous on

    wpscan + timthumb 0day dropped != kool. Sometimes its best to keep your 0day to yourself.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.