WordPress users have reason to be wary as a malware campaign has now been seen to infect new victims.
The campaign in question was unleashed by unknown person(s) earlier this year (The first known infection happened in July.) However, it’s only now that the malware is using pirated (nulled) premium themes as a means to infect victims. The malware is called wp-vcd.
In this new phase of the attack, the malware comes preinstalled within pirated premium themes that are available for download from websites other than WordPress. Such websites are notorious for providing as downloads pirated themes, scripts and plugins for CMS platforms like WordPress. (CMS or Content Management System refers to a computer application with which you could create and edit digital content. It could support more than one user in case of organizations or group efforts- or it could be used by individual users)
In the case of wp-vcd, the malware adds to the site’s backend a secret user as an administrator. This admin’s username would be “100010010.” This is the backdoor account that attackers use to infect websites. Once the websites are infected in this manner, at later dates, the attackers could initiate scripted attacks.
According to Denis Sinegubku, a security researcher at Sucuri, a web security firm, since late November, the wp-vcd malware has been used by attackers so that they could insert spam on the infected websites. Among these spam messages were also ones that led the users to those websites that offered the pirated themes for download in the first place. In this manner, the creators of the wp-vcd malware were able to expand the number of sites infected with their malware.
But it’s not all bad news for WordPress users. For one thing, it’s not hard to recognize the pirated themes that have the wp-vcd malware embedded in them. As Sinegubku said, “All original [theme] files have one date, but two files have a different, more recent date.”
The two files in question are class.theme-modules.php and functions.php. These two are files that the malware has infected since mid-July which was when it was spotted for the first time by an Italian researcher.
If the two files are checked, you would find this particular line of code:
< ? php if (file_exists(dirname(__FILE__) . ‘/class.theme-modules.php’)) include_once(dirname(__FILE__) . ‘/class.theme-modules.php’); ? >
Also, with the clas.theme-modules.php file, you would also find a block of Base64-encoded text in it.(Base64 is a type of binary to text encoding which could be used for translating plain text to string data or vice versa. If that still sounds muddled up to you, worry not because chances are high that you must have seen Base64 encoded text in some of the digital files you have used. A typical example would look like this:
TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlz IHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2Yg dGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGlu dWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRo ZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4=)
In the clas.theme-modules.php file the Base-64 encoded block of text would sit right at the top of the original code, so you wouldn’t have any problem identifying it.
While wp-vcd is just one type of malware that could affect WordPress, there might be more out there. To prevent such attacks as much as possible, you should always use only themes and plugins verified or endorsed by WordPress, never pirated.