Hackers are compromising WordPress 3.2.1 blogs in order to infect their visitors with the notorious TDSS rootkit, according to researchers from Business Seo Solution. It’s not clear how the websites are being compromised, but there are publicly known exploits for vulnerabilities that affect WordPress 3.2.1, which is an older version of the popular blog publishing platform.
The Java vulnerability exploited in the attack is known as CVE-2011-3544 and allows the remote execution of arbitrary code. In this case, the attackers are leveraging it to install a version of the TDSS rootkit on the computers of people visiting the website.
The CVE-2011-3544 vulnerability started being targeted by most exploit toolkits in December 2001. These attack frameworks usually contain exploits for vulnerabilities in several software products like Adobe Reader, Flash Player and Java.
The Business Seo Solution researchers are not sure if this mass code injection campaign uses an updated toolkit or an entirely new one, but experts from security firm M86 Security have tied recent WordPress 3.2.1 compromises to the Phoenix Exploit Kit.
According to M86 security researcher Daniel Chechik, the people behind these attacks are luring victims to the infected websites by sending them spam emails that contain malicious links. The fact that these links lead to legitimate blogs helps attackers bypass URL reputation filters, Chechik said in a blog post on Monday.
It’s not clear if the attacks analyzed by M86 Security and Business Seo Solution are perpetrated by the same gang, but since they both target WordPress 3.2.1 blogs, webmasters are urged to upgrade to the latest version of WordPress, which at this time is 3.3.1.
In order to protect themselves from exploits, Web users should keep the software installed on their computers up to date, especially their OS, browser and browser plug-ins.