Both TrendLabs and M86 Security have taken notice to the mass compromise of websites running on the popular WordPress blogging platform and the corresponding spam campaign that’s striving to infect as many computers as possible with the Cridex Trojan.
The attack starts out by the user receiving a spoofed email stating they've received LinkedIn invitations and have pending messages or that a customer has filed a complaint about their company with the BBB, as the sample email shown below claims:
Subject: Better Business Bureau complaint
Here with the Better Business Bureau would like to inform you that we have received a complaint (ID XXXXXXXX) from one of your customers in regard to their dealership with you.
Please open the COMPLAINT REPORT below to find the details on this matter and inform us about your point of view as soon as possible.
We are looking forward to your prompt reply.
Better Business Bureau
Council of Better Business Bureaus
4200 Wilson Blvd, Suite 800
Arlington, VA 22203-1838
Phone: 1 (703) 276.0100
Fax: 1 (703) 525.8277
When the user clicks on the link to review the (non-existent) complaint - or pending LinkedIn messages - they will be taken to one of the compromised WordPress sites, ultimately leading them to the residing [Phoenix or Blackhole] exploit kit that would attempt to leverage vulnerabilities within Adobe Reader and Acrobat (CVE-2010-0188) and Windows Help Center (CVE-2010-1885) to infect the target machine with WORM_CRIDEX.IC (Cridex).
When executed, Cridex will attempt to download its configuration files from a remote server.
Cridex is said to have capabilities similar to ZeuS and SpyEye banking Trojans, including the ability to:
- Take screenshots of every webpage accessed by the user in real-time.
- Blacklist and redirect URLs.
- Intercept browser requests and change the displayed content according to its configuration file in order to trick the user into entering private information.
All of the information captured by Cridex is then uploaded to a remote C&C server.
To avoid being hit by this malware attack, users are advised to exercise caution when following links within unsolicited emails. Traps like these can typically be avoided by taking a moment to hover your mouse over a link to see what the true destination URL is.
WordPress site owners can minimize the chances of their website being compromised by avoiding WordPress plug-ins with known vulnerabilities, using strong FTP credentials and exploring the numerous ways to help secure WordPress.
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+.