More computer crime anatomy

So a while ago, I posted extensively about an underground network of computer virus distributors that I’d uncovered while pursuing American ISP iPower Web about their ongoing, chronic security problems which I first wrote about last December.

It seems that in the brave new world of the Intertubes, crime does pay. It pays very well indeed, in fact. The network I documented earlier has morphed and changed radically in the past few weeks, and become larger and more resilient. In addition, a new attack vector has emerged: attacks on old, outdated versions of WordPress weblog software.

I know that a lot of folks on my flist maintain their own WordPress blogs. Please, please, please, if you run WordPress or know somebody who does, update your WordPress software. It’s quick (takes about five minutes) and easy, and all versions of WordPress prior to 2.5 should be considered completely insecure.

In the past couple of weeks, I’ve noticed a huge surge in WordPress hack attacks, to the point where last Monday there were more hacked WordPress systems than hacked iPower Web sites that were being used to redirect folks to Eastern European virus downloaders. It seems quite likely that the hackers are using automated tools to find and automatically attack old WordPress installs, though one person I’ve spoken with says he believes his WordPress install was attacked through an insecure FTP username and password that was brute-force guessed as well.

The network that is being used to distribute viruses is being fed from a lot of different sources: hacked iPower sites (of course), hacked WordPress installations, Google Groups set up as malicious redirectors, custom attack domains piggybacked on top of legitimate Web URLs, and hijacked phpBB and phpNuke installs seem to be the most common. For an update on what’s going on in the seamy computer underground, and a new map of the computer distribution network:

Clicky the link! (We are going to get technical here)