While I was catching some much needed rest after WordCamp MSP, Joost de Valk did something cleaver. He setup a BlogPress SEO plugin on WordPress.org. The initial release consists of just a readme.txt and a php file with only the plugin comment header, no actual code. Since he set this release as 2.0, all users of the malicious 1.1 and 1.2 versions will receive “Plugin update is available” notices.
Tag Archives: Malware
BlogPress SEO is Malware
As with most scamming attempts, it all started with an email—which I ignored when I received it on Wednesday. It made claims of terrific SEO improvements using backlinks—yeah right. I do not use SEO enhancement plugins (other than Google XML sitemaps), and never plan on doing so. Anyways, the sender’s name as Saurabh, and his message was as follows:
Hello, My name is Saurabh, and I am here to offer you a unique wordpress plugin which will get you 100’s of backlinks like crazy. The plugin is 100% free and I can also offer installation help. http://BlogPressSEO.com Why backlinks are important for getting traffic. http://BlogPressSEO.com/#1 This is how the plugin works http://BlogPressSEO.com/#2 Thanks
Time for Flash to Die
Today some stupid advertisement delivery agency decided to ship a Flash based add that automatically infects your computer with a fake security suite (named “AV Security Suite”). This affects the latest Flash player, regardless of web browser.
Neat, right? Oh, it gets better. AV Security Suite is ransomware, which does not allow you to open any applications that it knows could close it. Great, isn’t it? The seemingly good thing is you can get rid of it using System Restore. Do this by:
- Pulling the powerplug to your PC (don’t do a “proper” shutdown or restart).
- Boot into safemode. Usually, you need to press and hold the F8 key while booting, and select safemode from the menu. However, if you did not shutdown properly this menu should automatically come up.
- Finally, in safemode use System Restore to go back to before the infection happened. Note that Windows 7 users can go strait to restoring using the “Restore Computer” menu item rather than safemode boot.
Going forward, remove Adobe Flash player from your computer. Since Adobe can’t seem to fix this issue, Flash player is not to be trusted (add Adobe Acrobat reader to your untrusted list as well). If you must have Flash player (for any reason) and use Firefox install Flashblock, it could save you time in the future.
[end of transmission, stay tuned]
Notes on Trustworthy Computing
How much is security worth to you? What about freedom? Currently, the Internet is akin to the Western United States in the 1800s. It is mostly a lawless land, unorganized, untaxed, and full of roaming bad guys. The commercial sector is exploiting it more and more. And in turn, is being harassed by the bad guys (crackers). Some foolish individuals, and organizations, wish to expel all of the bad guys from the Internet, and fund it with a tax on all Internet connections. Not only is this an ineffective waste of everyone’s money, it will make things worse.
Microsoft’s Scott Charney wishes to frame the issue of computer viruses in the same manner as their biological counterparts. He boasts, “I actually think that the health care model, particularly related to the World Health Organization and the Center for Disease Control …might be an interesting way to think about the problem.” While the idea itself is not new, the implications tend to draw heated debate. And, after the H1N1 and Avian Flu scares that did not materialize during the last decade, following too closely in the footsteps of the WHO and CDC would be foolish. However, having a procedure for containing and cleaning up virus outbreak is beneficial.
Charney continues, “Why don’t we think about access providers who are doing inspection and quarantine, and cleaning machines prior to access to the Internet?” With the bandwidth shaping technologies out today, a third party real time traffic scanner for malicious activity is possible. However, the first hurdle to this is the issue of privacy. With the real time scanner, the carrier could look at data that was once forbidden. Looking at packet destination won’t work as botnets become more sophisticated and operate in a more peer to peer fashion. Thus, content analysis will become necessary. This will drive both the botnets and legitimate users to encrypt all network traffic. Which is the second issue, real time scanners will become ineffective in the arms race against the bad guys.
Creating a WHO of computer viruses will cost money. Charney suggests a compulsory internet tax for all connected individuals. He even goes as far as suggesting that “…it’s a public safety issue…” Since when has the Internet been vital for public safety? If we, as a global community, are so dependent on the Internet for day to day life, maybe the roll of the Internet needs to be rethought. Twenty years ago, most people had never heard of the Internet. Today, most use the Internet just for logging into Facebook and playing Farmville or some other worthless time sink. Contrary to what Hollywood would have you believe, infrastructure–such as nuclear power plants–does not have vital components exposed to the Internet (e.g. the plot in Live Free or Die Hard could not happen). Why should one, who is responsible and maintains good security practices, pay to clean up the computer of some idiot who still believes that a Nigerian prince is going to give him (or her) a large sum of money. Recent viruses have not been self propagating, and the idea that the actions of one idiot will cause everyone else to get infected is invalid. The last major auto infecting worm was Blaster, and that was back in 2003 (Sasser does not count as a patch was available before it went public).
If a WHO of computer viruses is necessary, maybe it should be funded the same way that the quit smoking organizations are, charging the software vendors. Microsoft, in particular should pay. It is their insecure OS (Windows XP), and their ignorant user base that has caused the problem. They need to educate their users as to why UAC is good, and should not be disabled or ignored. Mr Charney, that is your organization, do not push your burden onto us.
[end of transmission, stay tuned]
Even though things are updated regularly on this blog, an iframe based exploit was discovered today. Unlike the previous iframe attack, which came through a SQL injection, this one involved modified theme files. Unlike the previous googlerank.info iframe attack, this one’s payload does not appear to be malicious, rather it is spammy.
There are a few things that point to some level of sophistication in the injection. First off, the code was injected into the end of the header.php file, only on the active theme. Typically, a script kiddy will not bother figuring out which theme is in use and instead will carpet bomb the place with malicious code. Secondly, the modification date on the file matches the last time the header was uploaded from the testbed. No, the testbed’s code was not compromised. This points to a possible Windows exploit (yes the Weblogs.us server still runs on Windows, unfortunately.) as any changes should have caused the modification date and time to update. Finally, rather than having the iframe hidden via CSS, there is a container div which is hidden instead, making it more difficult to have a general CSS rule to expose the iframe.
< div style="display:none" >< iframe src="http://klikvp.com/css/go.php?sid=1" frameborder="0" height="1" width="1" > < iframe > < div >
That is the offending code. Spaces were added to prevent execution. Klikvp is the same as Klikvip which is a known spammer. The tricky sucker is using a wrapping div now. The good news is that WordPress Exploit Scanner will find this, so keeping it around and periodically scanning is a good thing to do. It doesn’t offer dashboard notifications like Iframe-b-gone does but it scans files and other things that Iframe-b-gone does not.
[end of transmission, stay tuned]