Thousands of WordPress blogs hijacked to deploy malicious code
Anti-virus firm Avast reports that criminals are exploiting a critical hole in the TimThumb WordPress add-on to deploy malicious code on a large scale. Avast says that it blocked more than 2,500 infected sites in September and anticipates a similar number in October. The attackers install the professional BlackHole exploit framework on the affected servers. The framework then tries to infect visitors to the WordPress blog with malicious code by trying out various vulnerabilities in the visitor's browser and installed plug-ins.
Avast hasn't disclosed what kind of hole in TimThumb is being exploited by the attackers. The hole is probably a vulnerability that was exposed three months ago which was already being actively exploited at that time; even one of the developers was affected. Since the attackers continue to find numerous vulnerable WordPress installations, it appears that many admins have not become aware of the danger yet, possibly because they don't even know that they have installed the vulnerable script on their server.
The add-on could have got onto the server as part of an installable theme – some themes use TimThumb to resize images. Admins, and owners of WordPress blogs, are therefore advised to check whether their installed theme uses a vulnerable version of TimThumb. An incomplete list of affected themes is available on the sucuri.net blog. Version 2.0 of the add-on has been released in the meantime; according to co-developer Mark Maunder, this version is immune to this attack as well as various others.