I've helped six people with this the past week, one former client being totally screwed by this and now a former employer who I did not leave on the best of terms has it, and still seems to refuse to acknowledge they are infected. (more on that in Off Topic shortly -- since I'm going to be spamming a venting rant about them after five years of silence across a slew of forums and social media) http://arstechnica.com/security/201...cks-silently-delivers-ransomware-to-visitors/ That it only deploys the code on the site on a cache empty first-time visit it's VERY hard to tell if the site in question has it. You basically have to disable cookies AND caching to have any chance of noticing the malicious script appended to the code. Or at least that WAS the case... now, a new player has entered the fray on detecting it -- the anti-malware used by Firefox, Chrome, Vivaldi and several other browsers are now throwing up the big red "this site has malware" screen warning you NOT to continue. IF you are encountering this on your domain, do NOT be a dumbass blindly contacting the malware prevention places asking to be removed from the blacklists until you are DAMNED certain you aren't infected! I've watched two people and one company do this under the delusion it was a false positive!!! This is however NOT exactly anything new as over the past two months there have been related incidents that I believe led up to this: http://arstechnica.com/security/201...usands-of-wordpress-sites-to-infect-visitors/ http://arstechnica.com/security/201...rdpress-sites-infected-by-mysterious-malware/ The only reason this hasn't been more widespread is that the avenue of attack requires outdated versions of things that for MOST users have automatically updated for them; Flash, Java OR Silverlight. It appears to work if ANY of those are present and out of date. If this was able to spread via CURRENT versions of those programs, this would be an outbreak the likes of which we've not seen since NeverNoSanity hit phpBB over a decade ago. (taking down a third the web in the process) I've tried to study the avenue of attack, but that's not entirely an area I'm an expert in. I ended up intentionally infecting a VM (so I had a fairly safe sandbox to contain it) and near as I can tell this is the process of how it spreads. 1) a user with the outdated plugin visits an infected wordpress site cache-empty, cookies empty or on a first time visit. (This is particularly brilliant since it makes the "security minded" practice of wiping cookies and privacy browsing part of the attack vector!) 2) The virus plays a shell-game of loading site after site of scripted embeds that EVENTUALLY runs code in one of those aformentioned plugins that infects the host computer. 3) If the user then visits a wordpress site they have the ability to write articles on, the infection is spread to that site. I'm STILL not quite sure how this is accomplished as I cannot find the hole it's using to upload itself. I suspect it may in fact be attaching it somehow to the postdata but was unable to see it when monitoring/logging network throughput. It's either something so painfully obvious you'd never think to look for it, or so amazingly complex that no single person could ever figure it out... honestly either alternative is a bit terrifying. 4) This infection lies dormant until a specified period of time, a certain level of inactivity, or a windows update based reboot takes place, at which point it CLAIMS to have encrypted the files and delivers the ransomware message. The data is not in fact encrypted, anything in the current user account folder is deleted, data elsewhere on the drive remains unharmed. I tested a few AV, and as of today (Feb 7, 2016) only Panda AV seems to think something's amiss and stops it from infecting the host system. Still the CORRECT procedure for preventing this is to update all your plugins. I was also able to make it deploy on OSuX and Linsux, so this is NOT a Winblows only issue! Again since these plugins exist cross platform, One of the reasons people have had a distrust of plugins; that's actually one of the few selling points of the HTML 5 (and stuff slapped under it's banner) alternatives is they generally don't have the access to system level resources plugins do. At the same time, a LOT of those plugins are chosen BECAUSE they allow that level of access for things you can't do from JS, so it's lose/lose anyway you look at it. Of the people I've helped, I was able to get two of them back up and running using backups and a clean install without any plugins, but Christmas knows how long until it's re-infected. I did instruct them to make sure ANYONE able to post blog entries or other non-comment content has those plugins disabled or up to date. IF you have a wordpress blog, even though the risk is relatively low, do yourself a favor and disable those plugins in your browser whilst maintaining your site, JUST to be safe. Honestly, I consider that good practice anyways, but a lot of people "Just can't be bothered" or "don't know what that means"... Two things that trigger my, "and we ALLOW you to have a website WHY again?" kneejerk reaction! The rest of the ones accepting my help, well.... are up shit creek because they don't have backups or their ISP was supposedly doing them and those copies are all utterly banjaxed or a year or more old. Hence TWO of my biggest rules: 1) Backup often 2) Don't trust your host to do it for you! As to the former employer, after nearly a week of malware blacklisting and constantly spamming the blacklists to try to get de-listed only YESTERDAY had a staff member admit they MIGHT be infected. :/ Naturally they seem to have gone completely silent on the topic, deleting any messages of people reporting it or suggestions on fixing it, and generally having put a PR gag order on the situation instead of manning up, saying they got hacked, or what they plan to do about it. (which seems to be nothing). But, I warned them six years ago not to use Turdpress, since at the time that 2008 PWnie for M4ss 0wnage was fresh in our minds. Given the MASSIVE "insecure by design" back-end of slapping the SQL login info into define, keeping the connections global in scope, and generally only having a "one ring" security policy, exploits like this should actually be far more common than they have been. Whilst they certainly made great strides since version 3 dropped, I cannot say that this event surprises me in the slightest. It's like they have one giant wall, and the keys to the kingdom hanging in plain site inside the gate. Which again is why I still say that Wordpress is a cute toy for making a blog for grandma, but not one legitimate site has ANY damned business using it if they are serious about their web presence. Between the ineptitude that are 99.99% of the templates on the front end (including the default one) and even more massive ineptitude that is the back end, the only way this can continue to be popular is the outright ignorance of the people deploying it by choice, or the simple fact that the scam artists duping clients into using it really don't give a shit about those clients so long as they get paid. But at least I'm making some more pocket change cleaning up after other people's messes created by ignorant choices again... and again just more proof of why I would NEVER tell someone to use it, would NEVER deploy it for one of my websites, and say that if it's the "best choice" for your business you probably shouldn't have a website! Really though this is just a indication of deeper rooted issues that happen when something gets inside that outer perimeter in Wordpress. We're LUCKY the vector is such a small and narrow one as if it was working on up to date plugins or some commonly used mod/extension to wordpress, we would likely be seeing a replay of NeverNoSanity / Santy right now.