E-mails purporting to come from the Better Business Bureau informs its recipients of a (non-existent) complaint lodged against his or her business. The email includes a link to the “Complaint Report,” which leads to one of the infected WordPress sites.
Phony LinkedIn emails pose as invitation notifications and pending messages. They include a number of links, all of which lead to compromised WordPress sites.
According to Trend researchers, users who click the links are subject to Web based attacks that target a vulnerability in Adobe’s Reader and Acrobat software (CVE-2010-0188) and a common Windows Help Center vulnerability (CVE-2010-1885). After exploiting the vulnerabilities, attackers push copies of the Blackhole exploit kit to infect users with the CRIDEX worm.
Trend Labs reports that WORM_CRIDEX.IC is generating a number of random domains using domain generating algorithms (DGA). The technique is commonly used to evade law enforcement and botnet take-downs. The behavior of the sample is dependent upon the specific configuration file, which, in Trend Labs case, was unavailable to them. However, based on their static analysis, the malware is capable of executing and deleting files and retrieving certificates from a certificate store.
This isn’t the first time that WordPress sites have been used to push the Blackhole Exploit kit. In November of last year, similar reports surfaced in which WordPress users were being re-directed to servers hosting the Blackhole kit.