wordpress This week there have been several major malware injection campaigns against WordPress blogs and other php-based content management systems. This malware injection battle began last week with Network Solutions and GoDaddy.

Recently researcher Dancho Danchev has found evidence linking two US Treasury sites into the malware injection campaign:

    1. What's particularly interesting about this campaign is that, it's part of last month's NetworkSolutions mass WordPress blogs compromise…
    2. …[and the] dropped scareware's phone back location is identical to the one used in the same campaign, including the affiliate ID used by the original cybercriminal.

Did notoriety around China policy result in targeting of GoDaddy?

While it’s too early to assume anything, speculation of motive must reference back to the recent GoDaddy stand on China. Wired reported on GoDaddy’s stand against censorship in China a few months back:

  • Christine Jones, who announced the company’s decision to stop reselling Chinese top-level domain names at a meeting of the Congressional-Executive Commission on China.
  • “We were having to contact Chinese users to ask for their personal information and begrudgingly give it to Chinese authorities,” Jones told Congress. “We decided we didn’t want to become an agent of the Chinese government.”

Doing the right thing and taking a stand might come naturally since GoDaddy’s founder and owner happens to also be a Marine Corps Veteran. Similar to Google, GoDaddy was commended by Congressional members for their stand.

  • Rep. Chris Smith praised Go Daddy's move. "Google fired a shot heard 'round the world, and now a second American company has answered the call to defend the rights of the Chinese people," he said in the hearing. Go Daddy's move "is a powerful sign that American IT companies want to do the right thing in repressive countries," he said.

UPDATE: Apparently Dancho Danchev has recently been singled out by the attacker(s) for a somewhat lame attempt at Denial of Service of his public profile. He writes:

Analysis: Motivated by more than money…

There are two options: coincidence in timing and targets or that this was a concerted effort. I’m leaning toward it being a concerted effort. Why?

  1. Interesting that the Secret Service website, part of the US Treasury Department, was attacked through Chinese networks by North Korean resources just this past July 4th of 2009. With the results that Dancho put together as well as the personally motivated retaliation towards him I’m thinking this is a bit broader than just an everyday profit-driven attack.
  2. Of course money is involved. It doesn’t mean that it’s not a blended approach of motive and profit. If I were to try to investigate further, given the resources I would look hard at where the money ended up landing. Another personal opinion after reading a few indictments on how cybercrime is done, there’s very little money to be had in treasury sites. Of note however is that FinCen and the Secret Service are both part of the Treasury Department.
  3. The third thing is that the attacker is ‘watching the Watchmen’: they picked up the public buzz and counterattacked against a researcher who was publishing and coordinating the counter-offensive.

Action Items?

To other bloggers: If you have a GoDaddy account and have a site hosting malware, the fix-it instructions can be found here and an option to harden the target is here. The blog at WPSecurityLock also has some excellent details.

To malware analysts: I would first do a binary comparison and then look more closely at the code from the US Treasury sites to see if it was exactly the same. My hypothesis is that if they were attacking arbitrary targets it will be the same, however modifications would tell more about the intent, particularly if the malware was targeting the employees of the Federal organization or merely targeting random visitors of an under-protected Federal server.

Everyone else: this probably a model of how cyberwarfare / information warfare will look in the future. Proving ‘whodunit’ is nearly impossible, however linking the factors together will develop a greater probability into why they’re doing it.

Securing Our eCity Contributing Writer

Further reading: