1,000+ WordPress sites compromised through automatic update feature
Posted on 04 May 2012.
More than 1,000 WordPress blogs have been modified to redirect visitors to sites serving malware, affiliate and pay-per-click redirectors, and low quality PPC search result aggregators, through the WordPress' automatic update feature.

The discovery was made by Denis Sinegubko, the founder of the helpful Unmask Parasites website, who points out the irony of webmasters trying to keep their sites safe by using automatic updating, and then having them compromised through the same means.

The individuals behind the attack have discovered how to add the malicious code to the update.php file, which prompts WordPress to update. This code then injects other code in the wp-settings.PHP file, and effects the redirects.

The update.php file contains the "wp_update_core" function, which is used by the WordPress Automatic Update feature, says Sinegubko.

"Behind the scenes, the 'wp_update_core' function checks for available updates, downloads new files, replaces old files and does all the rest stuff required to successfully complete WordPress upgrades," he explains.

"Your blog is supposed to be fully updated just before this function returns. At that moment all infected core WordPress files (such as wp-settings.php) should be replaced with new clean copies. And this is exactly the moment when the malicious code in the ďwp_update_coreĒ function begins to work. It reinfects the just-updated and new wp-settings.php file.

Consequently, only users who have the automatic update feature enabled can have their blogs compromised by this means. Those who update their WP installation manually or via Subversion (SBV) are safe.

"WordPress developers should consider adding some integrity control into their system (e.g. checksum control for core WP files) and warn webmasters (blog administrators) if core files change," Sinegubko concludes.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th