A new piece of WordPress malware has been discovered disguised as an SEO plug-in called WP-Base-SEO. The malware...
plug-in has the ability to create backdoors on infected WordPress accounts. How does this new WordPress malware work, and are there any ways for users to identify fake or malicious plug-ins?
It's never been easy to evaluate potentially malicious software, and the stakes continue to get higher. App stores adding minimal security checks have made it somewhat easier, but you're stuck in the walled garden of the app store vendor. While this can protect end users, it doesn't help when what you need isn't in the app store.
There is a WordPress app store that offers thousands of plug-ins for websites using WordPress, but it has minimal criteria for hosting plug-ins.
Jessica Ortega, web security research analyst at SiteLock LLC, a website security company based in Scottsdale, Ariz., wrote about a malicious SEO plug-in for WordPress. Ortega noted that the code looks legitimate based on the header comment in the code.
However, as SiteLock researchers analyzed the code, they identified potentially suspicious functionality that could create a backdoor on the infected WordPress install. One of the simple obfuscation steps the WordPress malware authors used in the plug-in was to use the code $myfunc = 'bas' . 'e64_' . 'dec' . 'ode'; to hide the usage of the PHP base64_decode function, which decodes data that was encoded using the multipurpose internet mail extensions base64 binary-to-text encoding scheme.
Something like this should seem out of place in a potentially legitimate plug-in, which could alert your Spidey sense that something is wrong. However, it is very difficult for nontechnical people to evaluate code at this level, so relying on app store security checks and user feedback may be the best some users can be expected to do.
Malicious programs masquerading as legitimate software, such as this WordPress malware, is not uncommon. Enterprises should encourage their app stores to incorporate security into the entire ecosystem and to add additional checks of the application and the developer to improve trust in the store. While there may be increased costs, enterprises may be willing to pay for the time savings from not needing to spend as much time evaluating software.
Enterprises may even want to collaborate within their industry peers or Information Sharing and Analysis Centers to share this information. The SiteLock Research Team also mentioned using a service or application to check website security, which is good advice.
Learn how to protect against malware on the endpoint
Find out how running in an infrastructure-as-a-service virtual machine can help to secure WordPress
Read about what CISOs can do to mitigate insider threats
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading