Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us

    We were recently alerted to the reports of an attack leveraging a vulnerability in TimThumb — a PHP script for cropping, zooming, and resizing Web images (.JPG,.PNG, .GIF) and used as an add-on script on WordPress. The said vulnerability enables cybercriminals to perform local file insertion. When successfully exploited, it inserts a PHP script, which may be used for other data hacks.

    The vulnerability was first discovered last August and has affected at least over 1.2 million websites.

    Based on our analysis, exploiting the said vulnerability allows an attacker to insert a file into the target site’s Web servers. In the attacks we’ve seen, affected websites were injected with PHP scripts hosted in sites that have strings such as flickr.com, picasa.com, wordpress.com, and img.youtube.com.

    Note that the URLs used to host the PHP scripts are not related to Flickr, Picasa, WordPress, or YouTube. The exploit includes those strings to bypass TimThumb’s validation process. It turns out that TimThumb looks for media hosting sites strings before allowing the upload to go through.

    Once inserted into the Web server, the attacker now has a connection to the database and can perform other attacks. Attacks can vary from loading malicious files through the affected websites, to exfiltrating information from the affected server itself. We were able to retrieve a few samples of the inserted PHP files, and they are now detected as PHP_IRCBOT.AHC, PHP_CREW.ASD, and PHP_RUMMAH.HG.

    As seen in the screenshot above, the PHP script leading to the malicious site loads once the compromised site is visited, thus the list of “Most Recent Visitors” shows that the last visitors accessed the malicious URL.

    Trend Micro Smart Protection Network™ protects users from this attack by blocking all known related malicious websites and malware. Users are strongly advised to patch their systems with the latest version of TimThumb and to be wary in clicking malicious URLs even from known sources.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice