Clean house to keep WordPress infection from coming back again and again

WordPress gets rekt again
WordPress gets rekt again

A security researcher has discovered a malvertising campaign that injects malware code into WordPress websites.

Denis Sinegubko, a senior malware researcher at Sucuri Security, said in a blog post that he had noticed a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate javascript files.

He said that the malware starts with a comment of 32 hex digits, which is followed by ;window[“\x64\x6f and a long array of string constants until finally concluding with “.join(\”\”);”));“.

“This malware only infects first time visitors, it sets the ad-cookie cookie (er2vdr5gdc3ds) that expires in 24 hours and injects an invisible iframe,” said Sinegubko.

While investigating the iframes advertising campaign, the researcher saw a pattern relating to third-level domains and advertising. “The same structure of URL parameter, including ad_id which is always the same –Twiue123,” he said.

Sinegubko said the malware uploads multiple backdoors into various locations on the web server and frequently updates the injected code. “This is why many webmasters are experiencing constant reinfections post-cleanup of their .js files,” he added.

"If you host several domains on the same hosting account all of them will be infected via a concept known as cross-site contamination. It's not enough to clean just one site, or all but one, in such situations – an abandoned site will be the source of the reinfection."

According to Sucuri, Google has moved to blacklist the domains the attacker was using to upload ad code. All the domains in questions were registered by a person named Vasunya. The first domain was registered in late December with the latest being registered at the start of this month.

WordPress has had a terrible week security-wise. On Wednesday, Malwarebytes' senior security researcher Jérôme Segura said in a blog post that some infected WordPress sites were also delivering ransomware.

"WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads," said Segura. “This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit," he said.

Segura pointed out that this wasn't malvertising since the domains used for this campaign are clearly not made to look like an advertiser. “There is, however, an ad fraud component for every malicious redirection as we observed the following URL being loaded: aliexpress.com/?ad=12144,” he added.

Catalin Cosoi, chief security strategist at Bitdefender, told SCMagazineUK.com that because the infection process appears to be permanent, he recommends sysadmins download a copy of the web server's content, sanitise it completely, delete the server copy and then re-upload the local, sanitised content.

“Before re-uploading, we recommend that all plugins and themes are updated to the latest versions in order to minimise the vulnerabilities an attacker might potentially exploit to regain access to the webserver's file system,” he said.

He added that for servers running multiple instances of WordPress on the same web server, system administrators should run each domain under different users in order to prevent cross-contamination. “This is a safe practice in general, not necessarily for this specific attack,” Cosoi said.