This blog was attacked by a worm in March-May (clean now)
As if blogging wasn’t hard enough, I had the fun experience of cleansing this site from a worm that seems to have gone around and infected many WordPress blogs recently.
The site is clean now. The hosting provider (GoDaddy) has also checked over it and found no more infected files.
Users of Trend Micro and Kaspersky virus software were receiving a warning when visiting the site earlier this year. Meanwhile Symantec/Norton and Avast users (like myself) unfortunately didn’t receive a warning.
If you visited this site around May 20th you may have seen a scareware dialog box. It scared you with a fake warning that your computer had malware and to my understanding would redirect you to a malware site and encourage you to purchase fake virus software. Presumably, if you did that then your computer will have been infected (my apologies). If you didn’t, then you should be fine.
GoDaddy’s blog has a mindblowing description of how this sophisticated worm worked. Even more surprising are articles on the criminal networks that seem to be linked to this worm.
Rebuilding and upgrading WordPress didn’t fix the problem. The worm was coming back in a matter of days.
Technically speaking, the worm was a string of (based64 encrypted) PHP code that was being injected as the first line of every PHP file on my site. Given that this blog is running on WordPress there are countless PHP files being used.
Going down the long list of things that one needs to do for closing holes to worms, finally one of the measures seems to have done the trick.
Keeping fingers crossed.
Until today, I couldn’t Google any useful info about this worm. But my old colleague Ozgur from MicroStrategy suggested decrypting the base64 encoded worm code which was being injected into every PHP file on my site. So I took an old infected file that I had saved away. In it there turned out to be double encoded code that led to a domain name which was registered by a fake Yahoo address. A Google search on that Yahoo address led to all the background info above.
Fingers crossed that the holes are all closed.
Many thanks to Ozgur!