The malware, dubbed Fidobot, tries to log into into Joomla and WordPress administrator pages (/administrator/index.php and /wp-login.php) by using admin as the username and by going through a list of often used passwords downloaded from its C&C server. When a specific combination allows it to log into the page, it sends it to same server.
An infected computer probes this way over 17,000 various domains every single day, which amounts to more that 100,000 domains per week - and a botnet usually consists of tens of thousands or even hundreds of thousands such machines.
But what worries Trend Micro researchers is that this and similar attacks may be just a precursor to worse ones. "The Stealrat botnet operation, for example, uses several compromised WordPress sites to generate spam and conceal its operations. The notorious Blackhole Exploit kit has also used several WordPress sites to redirect users to its final payload," they pointed out.
"A compromised site could affect many thousands of users, so it is much more important for administrators to secure their passwords. Settings and plug-ins to help secure CMSes are available to administrators, and they should use them appropriately."