UPDATE: More than 1,000 WordPress blogs are currently being infected by a form of malware that has ‘piggybacked’ its way onto the blogging platform using the WordPress automatic update function, a security researcher has discovered.
According to Denis Sinegubko, founder of Unmask Parasites, the problem lies in WordPress’ ‘Automatic Update’ feature and affects WordPress users who have elected to use that feature. Attackers have figured out how to add a snipped of encrypted code into the PHP file that prompts WordPress to update, Update.PHP. That code injects malicious code into another PHP file, wp-settings.PHP, which redirects users to a series of pay-per-click e-commerce sites and pay per click search result aggregation sites, according to a blog post by Sinegubko.
WordPress creator Automattic added the automatic update feature in 2008 with version 2.7 of the WordPress blogging tool. The Update.PHP file ties directly to WordPress’ Automatic Update feature, meaning that users who believe they’re fixing their infected versions of WordPress could, in fact, be reinfecting it with a malicious program.
Sinegubko claims the problem first surfaced around April 20, shortly after the release of WordPress’ version 3.3.2, but stresses that it only affects users who have selected to receive automatic WordPress updates. Those who update manually and via Subversion – a WordPress management plugin – aren’t at risk.
Christine Mohan, a spokesperson for WordPress’ parent company, Automattic, claimed on Friday that repairing any problems the blogging platform may have is always a priority.
“WordPress is the most ubiquitous web software on the internet right now, and along with that growth has come an increase in the sophistication of malware trying to take advantage of it. It’s more important than ever to address this problem with untamperable server side solutions from web hosts and VaultPress,” Mohan said.
This isn’t Sinegubko’s first research involving WordPress blogs. Last summer, the researcher found thousands of blogs that had been rigged to insert malicious images into Google search results. The blogging platform has also caught the attention of malware authors and cyber criminal groups. Automattic advised users to change their account passwords in June, 2011, after its security team discovered backdoors accounts hidden in some of the most popular WordPress plugin modules. In January, 2012, researchers at the security firm M86 discovered hundreds of WordPress sites that had been compromised and were being used to distribute copies of the Phoenix Exploit Kit. March, 2012, security researchers at Trend Micro’s Trend Labs warned about compromised WordPress Web sites that were infecting visitors with the CRIDEX Worm.
Following the lead of companies like Microsoft, more and more software makers are implementing automated no-click updates for their platforms. Google has long used automatic updates for its Chrome Web browser. Both Adobe and Mozilla have shipped automatic update mechanisms for their Flash and Firefox products this year. But the update feature can be a double-edged sword. Some critics argue there needs to be a better balance between knowing what’s being installed on users’ computer and staying safe.