"11,000 Sites Have Been Infected With Malware That's Good at Avoiding Detection"
According to researchers from the security firm Sucuri, nearly 11,000 websites have been infected with a backdoor capable of redirecting visitors to websites that generate fake views of Google Adsense advertisements. All of the infected websites discovered by Sucuri use the WordPress Content Management System (CMS) and have an obfuscated PHP script injected into their legitimate files. These files include "index.php," "wp-signup.php," "wp-activate.php," and "wp-cron.php," and more. In addition, some of the infected websites inject obfuscated code into wp-blog-header.php and other files. The additional injected code functions as a backdoor designed to prevent the malware from being eradicated by loading itself into files that run whenever the targeted server is rebooted. Sucuri researcher Ben Martin explained that these backdoors download additional shells and a Leaf PHP mailer script from a remote domain and place them in files with random names in the wp-includes, wp-admin, and wp-content directories. Since the additional malware injection is embedded in the wp-blog-header.php file, it will execute each time the website is loaded and reinfect it. This guarantees that the environment will remain infected until all traces of the infection have been eliminated. This article continues to discuss the infection of about 11,000 websites with malware that is effective at evading detection.