Eight-Year Study Finds 24,931 WordPress Sites Using Malicious Plugins
"Since 2012 researchers in the Georgia Tech Cyber Forensics Innovation Laboratory have uncovered 47,337 malicious plugins across 24,931 unique WordPress websites through a web development tool they named YODA," warns an announcement released Friday:According to a newly released paper about the eight-year study, the researchers found that every compromised website in their dataset had two or more infected plugins. The findings also indicated that 94% of those plugins are still actively infected. "This is an under-explored space," said Ph.D. student Ranjita Pai Kasturi who was the lead researcher on the project. "Attackers do not try very hard to hide their tracks and often rightly assume that website owners will not find them." YODA is not only able to detect active malware in plugins, but it can also trace the malicious software back to its source. This allowed the researchers to determine that these malicious plugins were either sold on the open market or distributed from pirating sites, injected into the website by exploiting a vulnerability, or in most cases, infected after the plugin was added to a website. According to the paper written by Kasturi and her colleagues, over 40,000 plugins in their dataset were shown to have been infected after they were deployed. The team found that the malware would attack other plugins on the site to spread the infection. "These infections were a result of two scenarios. The first is cross-plugin infection, in which case a particular plugin developer cannot do much," said Kasturi. "Or it was infected by exploiting existing plugin vulnerabilities. To fix this, plugin developers can scan for vulnerabilities before releasing their plugins for public use." Although these malicious plugins can be damaging, Kasturi adds that it's not too late to save a website that has a compromised plugin. Website owners can purge malicious plugins entirely from their websites and reinstall a malware free version that has been scanned for vulnerabilities. To give web developers an edge over this problem, the Cyber Forensics Innovation Laboratory has made the YODA code available to the public on GitHub.
Read more of this story at Slashdot.