Ars Technica has recently published an article about the “wiper” malware. In that article they published a Yara rule provided by FBI. However, the rule does not work due to a syntax error. Following rule corrects the syntax error and can be used with Yara 3.2.0.
description = "unique custom error debug strings discovered in the wiper malware"
$IP1 = "18.104.22.168" fullword nocase
$IP2 = "22.214.171.124" fullword nocase
$IP3 = "126.96.36.199" fullword nocase
$MZ = "MZ"
$MZ at 0 and all of them
I am seeing a lot brute-force attempts made to my site lately. In fact, the unsuccessful login attempts using the “admin” user id are increased by 300 fold. My preliminary investigation showed that all of the offending systems are running Linux. Some of these systems belong to online retailers, some of them are academic institutions, and some belong to individuals.
Upon investigating offending hosts, I realized that they ran Parallel’s Plesk, Mysql, nginx or Exim (or combination thereof). Not surprisingly, major security vulnerabilities found on all of these systems in 2014. This goes to show that the security is still not a priority for some hosting providers and organizations. I don’t know how badly these systems are compromised, but for now they are being used to attack WordPress sites.
You can protect yourself from this type of attacks by installing iThemes Security plug-in. This plug-in would guide you how to secure your site from brute-force attacks and among others.