Author: Weston Henry (Page 2 of 5)

A Brief Survey Of Fake WordPress Plugins

Fake, malicious WordPress plugins are not new. The proliferation of fake plugins generating spam files, though, has blossomed in recent months. We’ve seen blatant rip-offs of existing plugins, fake plugins that are one letter away from their legitimate counterpart, and even a created-from-scratch, malware-serving plugin using a ripped version of the WordPress.org plugins site.

This week we’ll discuss how fake plugins get on to WordPress sites, analyze a well known fake plugin to provide a sense of what they can do, look at a non-exhaustive list of fake plugins and a couple of interesting features, and discuss ways to avoid being victimized by fake plugins.

How Fake WordPress Plugins Infect Sites

Unfortunately there’s no one concrete way fake plugins end up on WordPress sites. We can however discuss a few common ways they are “installed.” And the first method is just that–a fake plugin is installed by the site owner.

Website Owner Installs

Malicious plugin authors are adept and persistent. Bad actors will co-opt existing, usually not well-known plugins, steal the code and post the plugin on any number of third-party WordPress sites. Unsuspecting site owners looking for some capability find the fake, malicious plugin, install it, and the new capability may or may not work. What is likely to work is the malicious code inside the fake plugin.

Compromise Of A Legitimate Plugin

The most likely way a fake WordPress plugin makes it onto a  website is through the compromise of an existing, vulnerable plugin. The Revolution Slider vulnerability was a major and long-lasting battle with compromised WordPress sites and the resultant spam.

Compromised Website Logins

Another method fake plugins are installed is an FTP or hosting control panel credentials compromise. A compromised workstation is a password-stealing trojan away from transmitting sensitive user names and passwords to bad actors who may take complete control of a site and install any number of types of malware, including fake plugins.

An (In)famous Fake Plugin

We’ll begin our fake plugin survey with one of the most infamous fake WordPress plugins, the ‘Docs’ plugin. Docs, occasionally docs, is a spam file creator which creates hundreds if not thousands of .dat spam files. It places them in a directory named cache and maps the files with a file called sitemap.html. Here you can see the code that does just that.

snippet from malicious WordPress plugin Docs

Docs.php Code Snippet

And here is a partial directory listing of the generated spam files.

Spam file from malicious WordPress plugin Docs

Docs Spam Files

The spam files themselves, in this example, contain links shucking drug rehab.

<li><a href=”http://example.com/recovering-drug-addict-behavior”>Recovering drug addict behavior</a></li>

<li><a href=”http://example.com/recovery-from-pain-killer-addiction”>Recovery from pain killer addiction</a></li>

<li><a href=”http://example.com/drug-rehabilitation-near-me”>Drug rehabilitation near me</a></li>

<li><a href=”http://example.com/pcp-drug-treatment”>Pcp drug treatment</a></li>

<li><a href=”http://example.com/celebrities-in-recovery”>Celebrities in recovery</a></li>

.dat File Snippet

This spam will become an easy source of black hat SEO for the bad actors, boosting other sites’ rankings while hurting the SEO of the infected site — even causing the attacked site to become blacklisted by search engines.

A Few Fake WordPress Plugins We’ve Seen

Here is a non-exhaustive list of plugins we’ve seen while dealing with infected WordPress sites.

/wp-content/plugins/aciry/

/wp-content/plugins/acismittory/

/wp-content/plugins/Akismet3/

/wp-content/plugins/disable-commenis/

/wp-content/plugins/Docs/

/wp-content/plugins/page-links-mo/

/wp-content/plugins/regenerate-thumbnaius/

/wp-content/plugins/research_plugin_URQe/

/wp-content/plugins/theme-check/

/wp-content/plugins/WPupdate/

/wp-content/plugins/WPupdate1/

/wp-content/plugins/wp-amazing-updater/

/wp-content/plugins/wp-arm-config/

/wp-content/plugins/xcalendar-1/

/wp-content/plugins/xcalendar-2/

Sample Listing of Fake WordPress Plugins

A common tactic of fake plugins is to use legitimate comments or code to try to mask their existence. Take wp-amazing-updater for example. Wp-amazing-updater is a fake plugin which is a password protected uploader and more, and it uses the comments from the BNS Add Widget plugin in its main PHP file. Here are the fake plugin’s directory listing and the legitimate comments in the malicious plugin file.

Directory Listing from fake WordPress plugin

Directory Listing of wp-amazing-updater

Benign comments in WordPress plugin

Benign Comments in the Malicious wp-amazing-updater.php File

Another fake plugin, theme-check, uses a barely obfuscated shell, the WSO shell, in its included file, db.php. Here is a snippet of the shell’s code.

malware from fake WordPress plugin

Snippet of plugins/theme-check/db.php

Some fake plugins are overwhelmingly normal code while others are overwhelmingly malicious. Still others co-opt legitimate parts of a platform, here WordPress, to deliver the functions to exploit a site. The code below is from the ‘research_plugin’ that provides a simple to access backdoor. Function research_plugin(), which is an eval request to run arbitrary commands, is called whenever the theme is initialized through through the add_action hook.

Snippet of research_plugin from fake WordPress plugin

Snippet of ‘research_plugin’

How to Protect Yourself

It can be difficult to detect fake, malicious WordPress plugins installed on a  website, especially if you don’t know what you’re looking for. The best thing a site owner or developer can do is regularly check the installed plugins through the WordPress admin dashboard, and look through the installation files directly in /wp-content/plugins with an FTP client or hosting control panel. Look for any plugins listed above or any that you do not recognize, and then check wordpress.org/plugins to search for the plugin’s directory name to verify if it’s legitimate.

Also using a security scanner, like SiteLock INFINITY malware scanning solution, can monitor your site for the malware contained in fake plugins and alert you to the plugins and, in the case of INFINITY, automatically clean the malicious content for you.  Read what WP Buffs has to say about SiteLock then give us a call at 855.378.6200 to speak with a Website Security Consultant today.

malicious plugin

SiteLock Research Team Identifies Malicious Plugin

During a routine site cleaning, the SiteLock Research Team found suspicious code in a WordPress plugin file.

Visit our WordPress blog, the District, for full details on this malicious plugin.

Vulnerable WordPress Social Media Plug-in Discovered

SiteLock SECCON Team recently detected suspicious code in a WordPress Social Media Tab. plugin file. In this article we will discuss the malicious plugin and its payload, and detail what steps should be taken to remove and avoid using malicious plugins.

Read More

malware

Popular 2016 WordPress Hacks

It’s time to get serious about threats to your WordPress website. The SiteLock research team has investigated the types of attacks WordPress users can expect in 2016. Let’s take a look…

Read More

SiteLock Website Security

It’s a Holiday Security Breach Blowout

This week we have a personal story for our readers. It’s a heartwarming tale of multiple mass data compromises, which affected yours truly. We’ll also discuss how major data breaches occur, and what you can do to protect yourself in the Age of the Large Data Breach.

Read More

Adsense High CPC Malicious WordPress Plugin in the Wild

The SiteLock SMART malware scanner detected three particular files as suspicious. Inspection of the files by the SiteLock Research Team ultimately determined that a malicious WordPress plugin was being actively hosted, used by unsuspecting site owners, and spread via YouTube.

We will detail the malware contained in the malicious plugin, reveal the relationships between the malicious plugin and other sites, and finally discuss mitigation for sites using the plugin and how to avoid such situations.

Read More

Don’t Be Held For Ransom By Ransomware

What is ransomware and how does it work?

Ransomware is malicious software that infects a computer and restricts the computer’s use until the victim pays a ransom to restore functionality. A ransomware compromise begins with a vulnerable computer or computer with vulnerable third-party software. A user on the vulnerable machine clicks a link in a malicious email, or visits a malicious website for example, which allows the ransomware to exploit a vulnerability and gain complete control of the machine.

Read More

Malicious WordPress plugin site

Malicious WordPress Plugin Adsense High CPC

While scanning website files, SiteLock SMART flagged three particular files as suspicious.  Inspection of the files by the SiteLock research team ultimately determined that a malicious WordPress plugin was being actively hosted, used by unsuspecting site owners, and spread via YouTube.

In the following article, we will:

  • detail the malware contained in the malicious plugin
  • reveal the relationships between the malicious plugin and other websites
  • discuss mitigation for sites using the plugin and how to avoid such situations

Read More

Security

What Is Security?

First, let’s tell you what security is not. Security is not safety.

Security is on everyone’s mind at this festive time of year. As more and more consumers move their shopping online, e-commerce security and the security of personal information naturally comes to the forefront. But what is security?

It’s a large and nebulous topic to which entire areas of study are dedicated, and the average website owner can’t be expected to be an expert, let alone a consumer. That’s why we’re taking this opportunity to answer this question and hopefully provide a foundation of understanding to help all site owners and consumers better assess their security needs.

Read More

malware email addresses

Looking at 1,000 Malware Email Addresses

Why Email Addresses?

When the SiteLock support teams clean malware from websites, it’s not unusual to find email addresses somewhere in the injected code.  So the research team decided to dig into some of those  malware email addresses to see what we could learn.

With the help of the SECCON (security concierge) and Expert Services teams, we gathered over 1,000 email addresses in short order. We hoped to see potential patterns such as highly used email providers and learn how the addresses were used, with the added benefit of providing a list of strings to detect malware.

Where Malware Email Addresses Can Be Found

The list of 1,012 email addresses consists mostly of phishing repositories, with some shell install and login notifications, ego addresses, and a few spoofed “From” addresses from phishing files. The full list of malware email addresses is found at WSTNPHX’s GitHub page.

Read More

Page 2 of 5

Powered by WordPress