That headline is lousy for Googlization, but it got your attention, didn’t it?

First, Russell Shaw unearthed an ugly little bug in WordPress that permits malware mechanics to hi-jack certain features of a weblog. If that sounds vague, you bet it is. I’m not going to tell you what happens, where, or how. It is sufficient to say that the exploit is possible in any currently-running hosted version of WordPress. Why did we get hit? Despite the scare stories in the newspapers, malware is almost-always devoted to some kind of quasi-legitimate commerce. Basically, the bug that bit us was trying to use our hosting and our traffic to conduct its business at our expense.

Not cool.

The exploit is recurrent. I can kill any particular instance of it, but since the trapdoor is in WordPress, the only way to keep this little mosquito from coming back is to keep slapping it dead — with the only alternative being to kill WordPress entirely.

Enter cron, the Unix utility that will run any Unix process on the schedule you set. With luck, this exploit will be fixed in WordPress 2.5, which is due to be released shortly. In the meantime, once a minute we’re swatting that mosquito, leaving not so much as a bloodstain. Most of the time, it’s not there, of course. When it is, it has 59 or fewer seconds to suck our blood before it dies again.

That much was easy, but I’ve had plenty of time to watch this little critter in action, and in consequence I’ve learned a ton about malware theory, as it were. So once every 15 minutes, cron is running a different job that combs our whole file server looking for suspicious files. And if anything else pops up, I already know how to kill it and keep on killing it.

All of which leads me to say: I love the Apache web-server technology. Where else can you drop a ton of Acme DDT onto one little mosquito once a minute — like Wile E. Coyote at his most frenzied — without even breaking a sweat?

Alright, that’s the first thing. Here’s the second. An entirely different crew of malware mechanics has figured out a new twist on the old Phone Phreaking game called Social Engineering.

Here’s what’s happening: Some slug has sussed out how to socially connect the names and email addresses he finds on BloodhoundBlog. So you might get an email, putatively from me or some other BHB contributor. Inside is a zip file — and you know from years and years of Dire Warnings about computer viruses that you must never double-click on a zip file. But — what he heck? — it’s from Greg Swann. No, it isn’t. It’s a malware email with a faked return address, and if you double-click on that zip file, you will have delivered the payload.

What is it? Don’t ask me. I won’t look, not even on a Macintosh. Very probably it’s relatively harmless adware of some sort, but, even running BSD Unix, I’m not playing games with viruses.

Here’s the deal: If you get an unexpected email containing a zip file — even if it seems to have come from someone you know and trust — phone or email the putative sender to make sure that person actually sent you the archive. Don’t be amazed that criminals were almost clever enough to slip past your defenses, but do be on your guard — even among friends.

Technorati Tags: , , ,