A new piece of WordPress malware has been discovered disguised as an SEO plug-in called WP-Base-SEO. The malware...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
plug-in has the ability to create backdoors on infected WordPress accounts. How does this new WordPress malware work, and are there any ways for users to identify fake or malicious plug-ins?
It's never been easy to evaluate potentially malicious software, and the stakes continue to get higher. App stores adding minimal security checks have made it somewhat easier, but you're stuck in the walled garden of the app store vendor. While this can protect end users, it doesn't help when what you need isn't in the app store.
There is a WordPress app store that offers thousands of plug-ins for websites using WordPress, but it has minimal criteria for hosting plug-ins.
Jessica Ortega, web security research analyst at SiteLock LLC, a website security company based in Scottsdale, Ariz., wrote about a malicious SEO plug-in for WordPress. Ortega noted that the code looks legitimate based on the header comment in the code.
However, as SiteLock researchers analyzed the code, they identified potentially suspicious functionality that could create a backdoor on the infected WordPress install. One of the simple obfuscation steps the WordPress malware authors used in the plug-in was to use the code $myfunc = 'bas' . 'e64_' . 'dec' . 'ode'; to hide the usage of the PHP base64_decode function, which decodes data that was encoded using the Multipurpose Internet Mail Extensions base64 binary-to-text encoding scheme.
Something like this should seem out of place in a potentially legitimate plug-in, which could alert your Spidey sense that something is wrong. However, it is very difficult for nontechnical people to evaluate code at this level, so relying on app store security checks and user feedback may be the best some users can be expected to do.
Malicious programs masquerading as legitimate software, such as this WordPress malware, is not uncommon. Enterprises should encourage their app stores to incorporate security into the entire ecosystem and to add additional checks of the application and the developer to improve trust in the store. While there may be increased costs, enterprises may be willing to pay for the time savings from not needing to spend as much time evaluating software.
Enterprises may even want to collaborate within their industry peers or Information Sharing and Analysis Centers to share this information. The SiteLock Research Team also mentioned using a service or application to check website security, which is good advice.
Learn how to protect against malware on the endpoint
Find out how running in an infrastructure-as-a-service virtual machine can help to secure WordPress
Read about what CISOs can do to mitigate insider threats
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Bitdefender discovered that the NotPetya malware changes its behavior when Kaspersky security products are detected. Nick Lewis explains how the ...continue reading
The Katyusha Scanner is based on the open source penetration test scanner Arachni. However, it has been modified to work through Telegram accounts. ...continue reading
A Libgcrypt vulnerability could allow attackers to recover private RSA-1024 keys, as it allows a left-to-right sliding window that shows how specific...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.