Malware analysis blog Xylibox often has interesting posts which are very relevant to our own work – many of their analyzed samples are exactly what we’re removing from clients’ sites.  We wanted to highlight a post from December in which they analyzed a piece of malware designed to guess the passwords of WordPress (and Joomla) sites: Win32/BruteForce.WP.

Important takeaways:

  • The hacker does not lack for targets – 36,000 domains with WP or Joomla.  With a large enough botnet he’ll be able to attack all of them.
  • From what appears to be a brief attack, a dozen compromised sites had very predictable passwords: admin, password, abcd1234, and asdfasdf.
  • There may be some built-in intelligence to guess passwords based on the name or content of targeted sites, so having a password based on the name of your organization is risky.
  • Once a site is compromised, the hacker can install backdoors via the plugin/component uploaders built in to WP and Joomla.  This is extremely common.

You can find more details at “Malware With Bruteforce Capabilities” by abuse.ch.

The features of this malware emphasize how important it is to have strong passwords and non-standard usernames for site administrator accounts.