WordPress plugins Trojanised, spotted, fixed

WordPress just announced that the source code of three plugins for its popular blog-hosting software was maliciously modified.

Plugins consist of add-in modules which you install on your WordPress server in order to implement additional functionality, instead of writing all the needed code yourself.

Where you might use a DLL with a Windows program – for example, to add a feature such as SSL support or an edit control into an existing application – you’d use a plugin with WordPress.

DLLs are usually written in a language such as C or C++ and compiled into native machine code; WordPress plugins are generally written in a mixture of JavaScript, PHP, HTML and CSS.

According to WordPress, the modified plugins were Trojanised to include backdoors.

Web-based backdoors can be extremely dangerous. If you’re a WordPress user, you’ll know that the WordPress platform includes a complete and powerful administration interface, password-protected, via a URL such as “site.example/wp-admin”. A WordPress backdoor might offer something with similar functionality, but using a different, unexpected, URL, and using a password known to the hacker, instead of to you.

WordPress pluginsAs far as I can see, this attack doesn’t affect you or your users unless:

* You run your own installation of the WordPress platform.

* You use one of these plugins: AddThis, WPtouch, or W3 Total Cache.

* You updated your installed copy of one of those plugins in the past 48 hours from wordpress.org.

(WordPress says “in the past day”, but its post is dated simply 21 June 2011. So I’ve boosted that “day” to 48 hours to cover all reasonable interpretations of the WordPress statement. If you changed one of the abovementioned plugins inside a 48-hour window, why not check with WordPress exactly when the danger period was?)

The unwanted source changes have been reversed out, so the very latest versions of the affected plugins are now safe. If you installed a defective one, update it right away and you’ll be safe again.

All wordpress.org passwords for the Support forums, WordPress Trac, and the repository have been force-reset. (This means you have to reset your password, just as you would if you forgot it.)

WordPress also temporarily blocked all access to the plugin repository and verified that no other plugins had been Trojanised.

A good response following criminal behaviour.

So, if you’re a WordPress user, don’t freak out when you’re asked to reset your password on your next login. And please take WordPress’s advice:

As a user, make sure to never use the same password for two different services, and we encourage you not to reset your password to be the same as your old one.

(Note. Naked Security runs on the WordPress platform, but we don’t use wordpress.org. We’re hosted by WordPress.com VIP on wordpress.com. We checked with Automattic, the people behind WordPress.com, and they’ve confirmed that no plugins in the WordPress.com VIP infrastructure were affected. No danger, Will Robinson.)

Mac users hit with fake anti-virus when using Google image search

A massive SEO poisoning attack has hit Google, targeting Windows and Mac users alike. From rather innocuous terms related to global warming, to hot topics like Osama bin Laden’s death, users are being hit with fake anti-virus programs, this time delivering payloads to users of Apple’s Mac OS X.

JavaScript Fake AV scannerStrangely when surfing to the compromised URLs you are first prompted with a JavaScript-based fake scanner that appears to show an infected Windows XP computer, even when surfing from a Mac.

When you click or close the fake scanner page you are prompted to download a .zip file onto your Mac with a filename like “BestMacAntivirus2011.mpkg.zip”.

Some of the downloads are a package installer that installs the fake software; others simply a contain ready-to-run Mac application.

Fake AV for Mac installer/download

In a similar social engineering trick as we have seen in Windows fake scanners it pretends to be a legitimate Mac anti-virus program called MacDefender.

The scanner doesn’t actually touch the hard disk while “scanning”, although on a Mac it can be hard to know without a hard disk light.

It pretends to find some very important things that may have been compromised, such as the Terminal application and the standard Unix utility test, also known to Unix shell programmers as [.

Mac fake scan results

Credit card at risk warningIt uses a lot of social engineering including redirecting your browser to rather offensive porn sites, although it does not appear they are doing this to make money, simply to imply that you are infected.

It also uses scare tactics like your credit card data being at risk. The reality is that your credit card is only at risk if you actually try to purchase the fake software.

Buy fake Mac AV

Sophos customers using the Sophos Web Security Appliance and Sophos Live protection are protected against these threats.

Mac users with Sophos Anti-Virus for Mac are protected by the identities OSX/FakeAVZp-B and OSX/FakeAV-DMP. Windows users are protected against the Windows version known as Mal/FakeAV-FS.

Are you a Mac user? Why not download our free anti-virus for Mac OS X?