WordPress Security: Nulled Scripts and the CryptoPHP Infection

Our friends over at Fox-IT based in Delft in the Netherlands just contacted me with some amazing research they’ve just published. If you’re technically minded and want as much detail as possible, I recommend you skip this blog entry and head straight over to the Whitepaper that Fox-IT has published on the CryptoPHP backdoor (It’s 50 pages). I’ve summarized the details and our response:

Nulled scripts are commercial web applications that you can obtain from pirate websites that have been modified to work without a license key. They are the web equivalent of pirated software. They include commercial WordPress themes and plugins.

It’s come to our attention courtesy of Fox-IT that nulled scripts are being distributed via several websites with a sophisticated infection pre-installed. Fox-IT have dubbed it CryptoPHP because of the fact that it encrypts data before it sends it to command and control servers.

The infection is relatively simple: Inside a nulled script there’s a little line of code that looks like this:

<?php include('assets/images/social.png'); ?>

If you’re a PHP developer you will immediately recognize this as looking strange: It is a PHP directive to include an external file containing PHP source code, but the file is actually an image. Inside this image file is actual PHP and the code is obfuscated (hidden through scrambling) to try and hide the fact that it’s malicious.

If you’re a Wordfence customer, and you are doing scans, the default settings for Wordfence do not scan image files for infections. However we are aware of these kinds of infections so a while back we added an option to scan image files as if they are PHP code. However with the detection we just added, Wordfence will detect the ‘include’ directive above in your PHP source, so even if you haven’t enable image-file scanning, you will still catch all known variants of this infection provided you are running the newest version of Wordfence.

Fox-IT has determined that the purpose of the malware is, currently, to engage in black-hat SEO by injecting links to other, presumably malicious, websites into your content. However this infection is sophisticated and it communicates with command and control servers that can instruct it to do a variety of tasks including the ability to upgrade itself. So this is a classic botnet infection which turns all infected websites into drones that can be instructed to do just about anything, from sending spam email to SEO spam to hosting illegal content to performing attacks on other websites.

The researchers think they may have identified the location of the author. Inside the code of the malware is a user-agent (browser) check that checks to see if the web browser user-agent equals ‘chishijen12’. If it does, then the application is instructed to output all PHP errors to the browser, presumably for debugging purposes. Fox-IT found an IP address that is associated with that user-agent and the IP is based in the state of Chisinau in Moldova. The name of the state is similar to the user-agent string, which gives their theory some credence.

This infection doesn’t just affect WordPress but affects Drupal and Joomla too. The detection we’ve added will actually detect the infection in Drupal or Joomla source code too if that lives under your WordPress directory.

If you’re an enterprise customer and are using an IDS like Snort or the EmergingThreats ruleset, Fox-IT have created Snort signatures which are in the whitepaper and I see that EmergingThreats have updated their open ruleset today to detect this.

You can find the full white paper discussing this new threat here and it includes quite a bit of technical detail if you’re a developer or information security researcher.

Please help spread the word about the danger involved in downloading or distributing nulled scripts and help keep the community safe.

Did you enjoy this post? Share it!

Comments

21 Comments
  • Thanks guys!!

  • Found this script from weeks ago on same way in social.png file on Ninja Popups plugin downloaded from themeok.org and Posted by Dospel & GanjaParker

  • Simple answer, PURCHASE your themes! Do not use "nulled" crap

  • scary stuff

    thanks for sharing it

  • This is nothing new, shells have been hidden in screenshots before: http://pross.org.uk/php-shell-detected-in-themes-site/

    As Har said, dont download nulled crap plain and simple. Get the theme from either the author or wordpress.org

  • Everything has a price. Use Nulled scripts and pay a bigger price in the end, so to speak.

  • What would we do without Wordfence?

    Thanks for the effort. Regarding themes, absolutely no good idea to use free themes. Besides base64 code in the footer and embedded affiliate links nobody needs, we now have a 'new' threat. Although, embedding malicious code into image files isn't that new, the way this works is pretty sophisticated. I sure hope they catch this knucklehead and put him out of business.

    Last but not least; why isn't Wordfence a core part of Wordpress?

  • The white paper is 52 pages long but the pages do contain a lot of "white". It didn't take that long to read. . It was well worth the time. Thanks for sharing.

  • Yeah, I knew about this some months ago.
    I downloaded a script for study and suddenly my Avast! Antivirus alerted.
    On scanning I discovered social.png was the culprit.
    So I simply used the antivirus to remove it and then saw the above php code in the theme files and removed it too.
    Now it is standard practice to scan every theme I get no matter the source. Safer that way.

  • This is the problem that infected my blog and made it imposible to login. I'm not sure how it got there. I have a very plain very old theme on the site. But I recently experimented with some new plugins. I thought they all came from the wp website, but I need to see where this came from.
    Thanks for investigating this.

  • Didn't know the term "Nulled scripts" untill now.

    I understand it this way: If i do not use any software on my blog of dogdy origin, I should be in the clear, legal wise?

    And with the latest update to Wordfence, and a fresh scan, my blog should be in the clear too?

  • Sadly funny. Ahh, if you used hacked / pirated themes, umm, maybe you should expect the scripting is or will be compromised... Got Karma?

  • That has been around as long as the themes are. Don't download from unconfirmed sources and problem solved.

  • Does Wordfence or anything else scan for this? I have a number of client sites where I know the client just downloaded any plugin they could find.

  • Thanks for sharing, well that's what you get when you go for Nulled Scripts, if you truly need a script, buy it and not steal it.

  • Um - Sounds like a beat up. I had a site infected via a Premium theme from ThemeForest that I paid $63 for (Premium author). Author denied it was their theme of course despite 3 other people having the same issue. Lack of secure and organised system architecture in Wordpress I reckon. Too many open doors and alleys.

    All begins to look like the virus/antivirus cat and mouse games all over again.

  • @Graham, I recently started having major issues with redirects and spam groups, etc after switching to a premium ThemeForest theme that starts with "K" (same price as you mentioned). Does the theme you are referring fit this? If so, and to prevent tarnishing the developer in case it's just a bad extension they packaged with it, can you verify and tell me what the theme name ends with?

    If we're both having the same issues with the same theme, I'm going to request they fix it ASAP or refund my money and leave a proper review for it.

    Thanks!

  • I have already found such line of code in a nulled theme but never noticed that it was a malicious code. Just thought the code was wrong (misplaced) and strange and removed it.
    Thanks for making me aware of this.

    • yep, im also using nulled template. thanks for sharing this, this make me aware next time

  • Encrypted code (base 64) and footer links are common in nulled scripts, but this thing would pass by most people. Thanks for spreading the awareness!

  • you should try Hide Referrer Service for your link security

    LIKE

    https://www.anonymizer.info/