Compromised WordPress sites Drive Users to Blackhole Exploit Kit

We were alerted to reports of a mass compromise of WordPress sites that lead to CRIDEX infection. To lure users to these compromised sites, the cybercriminals behind this employed spammed messages purporting to come from known legitimate sources such Better Business Bureau and LinkedIn, just to name a few. These spam use social engineering tactics to entice unsuspecting users to click the link found in the email.

Clicking this link leads to a series of compromised WordPress sites, which ultimately point users to the Blackhole Exploit kit that targets vulnerabilities cited in CVE-2010-0188 and CVE-2010-1885. This is detected by Trend Micro as JS_BLACOLE.IC.

Once users click on any of the URLs seen on Figure 3, users are redirected to sites that host the said exploit kit.

Based on our analysis, this exploit results to the installation of WORM_CRIDEX.IC on the affected system. When executed, this worm connects to a remote site http://{Random URL}.ru:8080/rwx/B2_9w3/in/ to download its configuration files.

WORM_CRIDEX.IC was also found to generate several random domains using domain generating algorithms (DGA). This is a well-known technique used by cybercriminals to evade law enforcement and to prevent botnets from being shut down. The malware also uses DGA to download its configuration file. As of this writing, the exact behavior of the sample is dependent on the configuration file. Based on static analysis, however, it is capable of executing a file, deleting a file/folder, and retrieving certificates in a certificate store. During our testing, we were unable to download the configuration file as this was no longer available.

Trend Micro protects users from this threat via its Trend Micro™ Smart Protection Network™ that blocks malicious URLs related to this attack as well as detecting the related malware. To avoid encountering these compromised sites, users should think twice before clicking those links found on dubious-looking messages. Always verify the validity of received messages, specially those that claim to be from well-known sources.

With additional text and analysis by security evangelist Ivan Macalintal.

Post from: TrendLabs | Malware Blog – by Trend Micro

Compromised WordPress sites Drive Users to Blackhole Exploit Kit