Avast is right here, see what was reported here: http://blog.armorize.com/2011/10/mass-wordpress-infection-ongoing-most.html link authors Wayne Huang, Chris Hsiao, NightCola Lin.

Quote from there:

1. Location of injected script: in the index page of the compromised website.
2. Means of compromise: we believe via a combination of a) stolen WordPress passwords b) backdoors into previously compromised WordPress websites and c) Automated script-injection tools that work in combination of either (a) or (b).
3. Injected script: In the [Details] section we’ve included an example of an injected script. There are more than 20 variations.
4. Script packer used: Dean Edwards’ packer.
5. Malware: Multiple malware will be installed (dropped) onto the visitors machines without the users’ knowledge. Antivirus detection rate is around 5 out of 43 vendors on VirusTotal at the time of this writing.
6. Infected websites: A lot of WordPress websites have been hit, a sample list is as follows:

Now the way the infection goes

he injection has a simple chain:

  1. Index page of a WordPress site is injected with script packed by Dean Edwards’ packer
  2. Javascript generates iframe to a malicious domain registered with changeip.com
  3. Browser loads the exploit pack from the malicious domain, hosting on a few fixed IPs including 95.163.66.209 (Russia), 64.131.75.19 (USA), and 182.18.185.82 (India).
Link authors: Wayne Huang, Chris Hsiao, NightCola Lin at Armorize malware Blog

polonus