IonCube malware: Who do these malicious files put at risk?

WordPress and Joomla admins are being warned of a new strain of malware named ionCube that poses as legitimate ionCube files. How does the ionCube malware work and who is at risk?

While everyone wants a website, not everyone has the resources to build, administer and secure their own. Content management systems (CMS), such as WordPress and Joomla, may seem to be the solution.

Widespread use of these CMSes has created a robust ecosystem of add-ons and other additions to the core CMSes to give businesses and individuals the features and functionality they need to run their websites with minimal technical skills.

Some add-ons are commercially developed and use software to protect their intellectual property via ionCube, which encrypts PHP files that are used in add-ons and is included in the CMS so that only authorized websites can use them.

IonCube Ltd., a U.K. software publisher, produces one popular mechanism for protecting CMS code written in PHP. IonCube is a format for encoding PHP code to prevent third parties from viewing or changing the code. The ionCube loader software is used to load and execute PHP programs that have been encoded in IonCube format.

SiteLock LLC, a website security vendor based in Scottsdale, Ariz., recently reported that its researchers had discovered a new type of malware that uses the ionCube format to disguise malware files on compromised CMSes. The malicious files exploited a modified version of the ionCube loader software using a format similar to legitimate ionCube files for malware files.

The ionCube malware files differ from legitimate ionCube formatted files in a number of ways, including lacking an internal reference to the ionCube domain -- ioncube.com -- which is present in legitimate ionCube files. SiteLock also reported other indicators of compromise in the malicious files.

The researchers identified more than 700 websites that were infected with over 7,000 malicious files -- but they didn't say how the websites had been infected. The infected websites were all using PHP, Joomla, WordPress or CodeIgniter and could have been infected by exploits of outdated CMS code or outdated add-ons.

SiteLock recommends that websites with indicators of malicious files be scanned for malware and that companies install web application firewalls. If a file is found in the CMS that wasn't authorized or uploaded by an admin, then the system should be investigated to determine if and how deeply the security of the system was compromised.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)