michelangelus - Fotolia

Q
Manage Learn to apply best practices and optimize your operations.

IonCube malware: Who do these malicious files put at risk?

Malicious files posing as legitimate ionCube files were recently found by WordPress and Joomla admins. Learn how the ionCube malware works with expert Nick Lewis.

WordPress and Joomla admins are being warned of a new strain of malware named ionCube that poses as legitimate ionCube files. How does the ionCube malware work and who is at risk?

While everyone wants a website, not everyone has the resources to build, administer and secure their own. Content management systems (CMS), such as WordPress and Joomla, may seem to be the solution.

Widespread use of these CMSes has created a robust ecosystem of add-ons and other additions to the core CMSes to give businesses and individuals the features and functionality they need to run their websites with minimal technical skills.

Some add-ons are commercially developed and use software to protect their intellectual property via ionCube, which encrypts PHP files that are used in add-ons and is included in the CMS so that only authorized websites can use them.

IonCube Ltd., a U.K. software publisher, produces one popular mechanism for protecting CMS code written in PHP. IonCube is a format for encoding PHP code to prevent third parties from viewing or changing the code. The ionCube loader software is used to load and execute PHP programs that have been encoded in IonCube format.

SiteLock LLC, a website security vendor based in Scottsdale, Ariz., recently reported that its researchers had discovered a new type of malware that uses the ionCube format to disguise malware files on compromised CMSes. The malicious files exploited a modified version of the ionCube loader software using a format similar to legitimate ionCube files for malware files.

The ionCube malware files differ from legitimate ionCube formatted files in a number of ways, including lacking an internal reference to the ionCube domain -- ioncube.com -- which is present in legitimate ionCube files. SiteLock also reported other indicators of compromise in the malicious files.

The researchers identified more than 700 websites that were infected with over 7,000 malicious files -- but they didn't say how the websites had been infected. The infected websites were all using PHP, Joomla, WordPress or CodeIgniter and could have been infected by exploits of outdated CMS code or outdated add-ons.

SiteLock recommends that websites with indicators of malicious files be scanned for malware and that companies install web application firewalls. If a file is found in the CMS that wasn't authorized or uploaded by an admin, then the system should be investigated to determine if and how deeply the security of the system was compromised.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

This was last published in September 2018

Dig Deeper on Platform security

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Has your enterprise ever encountered malicious files that appeared to be legitimate files? If so, how was the situation handled?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close