The smokescreen: a new spambot hiding in its own traffic

CMS WordPress is in the spotlight again. Researchers detected another aggressive kind of malware that spreads from compromised sites running that popular CMS. At the moment, more than 200 infected

CMS WordPress is in the spotlight again. Researchers detected another aggressive kind of malware that spreads from compromised sites running that popular CMS. At the moment, more than 200 infected sites are known.

Wigon.PH_44 is a spambot. Researchers have already found it to be a close relative (rather than a new version) of another infamous malware called Pushdo/Cutwail. A major spam botnet identified anonymously was first reported in 2007. By 2009, it had become the largest network of spammers with up to 51 million messages sent per minute, which was approximately equal to 46.5% of the total world spam traffic. In August 2010, researchers from several major universities knocked out 20 of the 30 control servers of Cutwail, but they did not manage to eliminate it completely. Therefore, it has kept on operating.

After the author of Blackhole was arrested, the use of this exploit pack reduced the flood of malicious spam from botnets, including Cutwail. The attackers who had relied on Blackhole were forced to look for alternative ways to deliver programs that can help them steal money. These are banking malware and blockers-encrypters, and have been increasingly used by hackers for attacking companies rather than end users.

A new spambot is being distributed from a number of compromised WordPress sites. Wigon malware attempts to conceal its activities within its own traffic.

Wigon looks just like one of those “alternatives”. The most characteristic feature of this malware is a “smokescreen” of harmless HTTP POST- and GET- queries that hide its main traffic, i.e. its own spam.

However, the functions of the spambot are not limited to just spamming. It integrates components for stealing data from mailers and FTP applications such as CuteFTP, FTP Commander, FTP Navigator, FileZilla, etc. After the installation, the malware links to the control server and receives a command for spamming other malicious programs.

The problem is that it is still unknown how exactly the malware primarily compromises sites on WordPress. This is a free and extremely popular (because it is free) content management system, which is used by many organizations.

Last spring and summer there were at least two large-scale campaigns in which a fairly large botnet tried to bruteforce the WordPress control panels and get logins and passwords to them. There were speculations that someone was creating a new botnet, this time using servers with WordPress installed.

There is reason to assume that the Wigon’s spread over the WordPress sites may be (but can not be definitely proven yet) the consequence of one of those campaigns.

Whatever it was, this story is another reason for companies using the WordPress system to test their servers and CMS for vulnerabilities and install all necessary updates as soon as possible.

Botnets do not arise out of nowhere. In most cases, an average computer within a malicious network is a user’s machine, which is old and operates a pirated version of Windows (mostly Windows XP) and a long overdue antivirus. Nevertheless, the mere fact that the aforementioned Wigon can function under both Windows XP (including its 64-bit version) and Windows 8, hints that very old machines are not the only ones. These may become the so-called zombies that clog communcations with spam and distribute malware. Moreover, they may not necessarily be users’ computers. Having a chance to plant Trojans into a corporate network or set up a control server within it, the botnet masters will not hestiate to do this. Especially given the fact that corporate broadband channels would certainly allow them to spread much more trash data.

Tips