This week there have been several major malware injection campaigns against WordPress blogs and other php-based content management systems. This malware injection battle began last week with Network Solutions and GoDaddy.
Recently researcher Dancho Danchev has found evidence linking two US Treasury sites into the malware injection campaign:
While it’s too early to assume anything, speculation of motive must reference back to the recent GoDaddy stand on China. Wired reported on GoDaddy’s stand against censorship in China a few months back:
- Christine Jones, who announced the company’s decision to stop reselling Chinese top-level domain names at a meeting of the Congressional-Executive Commission on China.
- “We were having to contact Chinese users to ask for their personal information and begrudgingly give it to Chinese authorities,” Jones told Congress. “We decided we didn’t want to become an agent of the Chinese government.”
Doing the right thing and taking a stand might come naturally since GoDaddy’s founder and owner happens to also be a Marine Corps Veteran. Similar to Google, GoDaddy was commended by Congressional members for their stand.
- Rep. Chris Smith praised Go Daddy's move. "Google fired a shot heard 'round the world, and now a second American company has answered the call to defend the rights of the Chinese people," he said in the hearing. Go Daddy's move "is a powerful sign that American IT companies want to do the right thing in repressive countries," he said.
UPDATE: Apparently Dancho Danchev has recently been singled out by the attacker(s) for a somewhat lame attempt at Denial of Service of his public profile. He writes:
There are two options: coincidence in timing and targets or that this was a concerted effort. I’m leaning toward it being a concerted effort. Why?
To other bloggers: If you have a GoDaddy account and have a site hosting malware, the fix-it instructions can be found here and an option to harden the target is here. The blog at WPSecurityLock also has some excellent details.
To malware analysts: I would first do a binary comparison and then look more closely at the code from the US Treasury sites to see if it was exactly the same. My hypothesis is that if they were attacking arbitrary targets it will be the same, however modifications would tell more about the intent, particularly if the malware was targeting the employees of the Federal organization or merely targeting random visitors of an under-protected Federal server.
Everyone else: this probably a model of how cyberwarfare / information warfare will look in the future. Proving ‘whodunit’ is nearly impossible, however linking the factors together will develop a greater probability into why they’re doing it.
Securing Our eCity Contributing Writer
Author ESET Research, ESET