Tweet

Mass compromises have not been in the news of late but a new wave recently hit the headlines. According to news reports, users running the popular blogging platform WordPress have been hit with an attack that modifies a setting within the application that contains the URL of a blog.

In compromised sites, this setting is changed to point to a malicious website. This redirects all would-be blog readers to the said website, which contains scripts leading to a malicious file detected by Trend Micro as TROJ_BUZUS.ZYX.

TROJ_BUZUS.ZYX, in turn, leads into an infection chain that leads to various malware, including a rogue antivirus that was already detected by Trend Micro as TROJ_FAKEAV.ZZY.

It is not yet clear how this attack is being carried out. However, many of the affected blogs were hosted on Network Solutions, which stated on its own blog that it is aware of the issue. In addition, Network Solutions stated that it was investigating the issue and checking to see if a WordPress theme or plug-in was responsible.

This represents a change in the behavior of the BUZUS malware family, as it traditionally spreads via instant-messaging programs, as documented in two separate posts here in the Malware Blog:

• Shortened URLs in IM Apps Lead to a Worm
• “Obama Accident” Instant Messages Used to Spread Malware

Trend Micro™ Smart Protection Network™ protects users from these threats by blocking the malicious website used in this attack as well as by detecting and removing associated malware like TROJ_BUZUS.ZYX and TROJ_FAKEAV.ZZY.

Update as of April 12, 2010, 11:30 p.m. (GMT +8:00):

Network Solutions has released its official word that the root cause of the mass compromise has been addressed by changing its password to the WordPress database. Users are likewise advised to log in to their administrative accounts to change their passwords and to delete accounts they do not recognize.