Hi All,
I thought I'd share this incase its helpful to any body else. Today a series of emails passed though our spamassassin filter cleanly which had URLs to Wordpress sites like the following... hXXp://ticket-deals.de/wp-content/themes/xblog/index.php?id=741693561 hXXp://vertaser.ru/wp-includes/js/tinymce/plugins/media/xblog/index.php?id=225070296 Clicking those links bounces you over to hXXp://royalmail-service.co.uk and using the ruse that they have missed a parcel delivery encourages end users to enter the capchta. They then end up downloading a 200KB track_c4ca4238a0b923820dc.zip file which contains a track_89258099.exe file which is infected with the Cryptolocker virus. (The timestamp of the track_89258099.exe is 2014-09-03 09:07. The catchpa number is alwasy the same as is the zip and exe file name. I've downloaded from multiple locations) As of an hour ago VirusTotal showed that only Malware Bytes detected the infection, however one of my users had downloaded and executed the track EXE and it was detected by AVG, but not after having encrypted about 700 files which I've restored from backup. I've just crafted the following rule in order to block any more of these messages reaching end users as having now looked though the logs I've found about 15 have come though today (all originating from the same IP in russia?!) uri __SCS_HACKED_WORDPRESS_URIa /wp-content\/(plugins|themes)/is uri __SCS_HACKED_WORDPRESS_URIb /wp-includes/is meta SCS_HACKED_WORDPRESS_URI (__SCS_HACKED_WORDPRESS_URIa || __SCS_HACKED_WORDPRESS_URIb) describe SCS_HACKED_WORDPRESS_URI Mail contains a URL which looks like it points to a hacked wordpress site score SCS_HACKED_WORDPRESS_URI 5 I appericate that the score 5 is high but as a Wordpress user I've never needed to use URLs which contain wp-content or wp-includes as they are used by the internal mechcanise of the framewaork so I feel confident of not getting any false positives. Any comments welcome Regards Steve DISCLAIMER This email is for the use of the intended recipient(s) only. If you have received this email in error, please notify the sender immediately and then delete it. If you are not the intended recipient, you must not keep, use, disclose, copy or distribute this email without the authors prior permission. We have taken precautions to minimise the risk of transmitting software viruses, but we advise you to carry out your own virus checks on any attachment to this message. We cannot accept liability for any loss or damage caused by software viruses. The information contained in this communication may be confidential and may be subject to the attorney-client privilege. If you are the intended recipient and you do not wish to receive similar electronic messages from us in future then please respond to the sender to this effect.
