Major WordPress Malware Threat — Active VisitorTracker Campaign

DEVELOPMENT

Major WordPress Malware Threat — Active VisitorTracker Campaign

For the last couple of weeks Sucuri have been tracking a new Malware threat that has gained significant traction over the last 48-72 hours.

For the last couple of weeks, Sucuri has been tracking a new Malware threat that has gained significant traction over the last 48-72 hours. The threat they call the "Active VisitorTracker Campaign" is easy to identify due to very specific "visitorTracker_isMob" code being used.

As of the 18th September 2015, a little over 6 million websites now infected, with over 5 million of those infections occurring in the previous 48 hours. The chart created by Sucuri shows the rate of infections below:

Active VisitorTracker Campaign

As you can see, the rate of infection is significant.

What does the Active VisitorTracker Malware do?

According to Sucuri, the final goal of the infection is to redirect the visitors to the website to a Nuclear Exploit Kit landing pages, which can, in turn, use many techniques to infect the physical computers of those visitors. Some examples of the methods employed include infecting the visitors computer using Flash, Silverlight, PDF, and Internet Explorer to install malware or ransomware.

For a more detailed \ technical article on the Nuclear Exploit Kit click here.

The exploit works by inserting the following code into your website:

function visitorTracker_isMob( )
{
var ua = window.navigator.userAgent.toLowerCase();
if(/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|mi..|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc .. |vx(52|53|60|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|WI(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(ua.substr(0,4))) {
return true;
return false;
} /* .. visitorTracker .. */ /*

This code will then force the visitors webpage to load an iframe from one of the Nuclear Exploit Kit landing pages which then infects the visitors computer.

An example of the exploit in action has been noted by Jerome Segura from MalwareBytes showing an infection on a website owned by a large security provider (Coverity):

nuclear-ek-coverity-

But they are not the only major security company affected by this exploit.

Sucuri itself is infected by this Malware (Update — False alarm)

We originally ran a story that implied that Sucuri was itself infected by this malware, due to both Norton anti-virus and their Sitecheck flagging what has turned out to be a false positive. We have updated this article to remove the screenshots and other information showing the false positive, but retained the information from Sucuri responses below in case anyone is looking for an update:

Update 1: We have since heard back from Sucuri:

indeed, since we publish details about attacks and malicious code on labs.sucuri.net, this can sometimes be flagged in SiteCheck. Not a big deal, though — you can see it's alerting about a blog post that actually discusses the malware in question.

Regarding Norton flagging our labs website, I'll escalate this to one of my seniors to have a look.

Certainly, this could be a false alarm, but with Norton also flagging the issue the concern is legitimate, and until we hear back further we recommend exercising caution.

Update 2: Sucuri CEO added his response:

You can find the full response of the CEO, Tony Perez, in the comments below, but for ease of reading we have highlighted the pertinent part below:

Thanks for sharing our information, but I did want to let you know it is a bit misleading. We are not and have not been compromised by this infection. [..]

Yes, we flagged ourselves. and it caused others, like Norton to flag us as well.. these however are false positives. We have direct lines of communication with many vendors

Update 3: Norton warning cleared

A second response from the Support team at Sucuri:

Just an update that the Norton warning has been cleared too.

They generated the warning for the same reason that sitecheck did, because it saw the "visitorTracker_isMob" code in one of our labs notes. The snipped we posted was never functional and would not cause any issue to anyone's visiting it. However, was close enough to the real malware that caused our malware scanning to generate

an alert.

It is quite reassuring they cleared this false positive with Norton so quickly.

17 percent of Infected websites already blacklisted by Google

The seriousness of this Malware cannot be understated. Not only are you opening up your Visitors computers to malware \ ransomware, but Google appears to be very quickly blacklisting any websites affected by this exploit.

According to Sucuri, 17 percent of all websites they have discovered with the exploit are already blacklisted by Google and other popular blacklists.

How to check if your website is infected with the VisitorTracker Malware?

The easiest way to check if your website is infected is to use the free tool by Sucuri. If you are infected you will receive a result as follows:

Sucuri SiteCheck Sucuri infection

The above example is a false positive, as it refers to the Sucuri notes which contain a copy of the offending code; however it will give you some idea of what to expect. If you have a positive result yourself, we highly recommend using Sucuri's service to clean up your website. Just select the "clean up my website" button, and choose the appropriate subscription. Requesting a cleanup takes less than a minute, and your website will be fixed. Also, the relevant applications for removing any blacklists will also be made.

How can you protect yourself as a website visitor?

While we haven't checked all computer firewalls \ anti-virus programs, but we can confirm that Norton successfully prevented us from visiting a website infected with this malware.

We run this website using the Sucuri Firewall product and can highly recommend them if you want to increase the security and performance of your website.

Check out our top user-rated host: SiteGround
Need help choosing a hosting provider?
Check out our top user-rated host: SiteGround