Sucuri threat researcher Denis Sinegubko says a "massive" advertising scam campaign is affecting users visiting WordPress sites, injecting backdoors and constantly re-infecting sites.
"This past weekend we registered a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files," Sinegubko says. "This malware uploads multiple backdoors into various locations on the web server and frequently updates the injected code. "This is why many webmasters are experiencing constant re-infections post-cleanup of their .jsfiles." Sinegubko says the malware will infect all accessible .js files across all domains located on the same hosting account in what is known as cross-site contamination.
"It’s not enough to clean just one site or all but one – an abandoned site will be the source of the reinfection," he says. "In other words, you either need to isolate every sites or clean/update/protect all of them at the same time." The malware uses encrypted code which mutates between sites but decrypts into the same structure.
It sets an advertising cookie on infected machines which will inject invisible iframes into sites over a 24 hour period. Sinegubko notes the malware uses domain shadowing which is a favourite VXer trick to add malicious subdomains on legitimate second level domains after gaining access to DNS records.