WordPress Plugin Alert — LoginWall Imposter Exposed

When you work with malware for a while, you start to become very good at pattern recognition. A couple sites in every hundred cleaned might be infected in a similar way and remembering the initial problem helps to quickly solve the problem for the current site. You might not know exactly why something seems fishy at first, but you follow your instinct because something gnaws at you. Eventually, you start to see the pattern.

In the last couple of weeks, we’ve noticed just such a pattern as a bunch of websites have been contaminated with malware from an infected plugin posing as a valid one called LoginWall.

The legitimate version of LoginWall is a SaaS-based solution that protects against brute force attacks for WordPress-based sites. LoginWall also doubles as a simple, but strong, password authentication tool for the admin account without using HW tools. In short, it’s a nice plugin, as long as you’ve got the valid one.

How do you know if the plugin is valid?

First, remember that you should only trust plugins that are hosted within WordPress or directly from the author’s page. We wrote about this last month, but it’s important to keep hammering the point home.

Now, with this plugin, it’s important to understand that we can’t simply trust the name presented on wp-admin/. As you can see, it’s almost the same as the original.

plugin

The next big difference between the original plugin and the malicious version is the folder name. The hacker made them similar, but it’s easy to spot the difference as long as you’re looking at the naming conventions side by side:

Here’s the original version:
/wp-content/plugins/loginwall-for-wp-beta/

And here’s the malicious version:
/wp-content/plugins/LoginWall-XyXYXY/

But what does this malicious plugin do?

The basic version of the fake plugin won’t change anything in your site’s content so you won’t get a hacked message or distribute malware. Instead, it will download spammy pages from remote locations and store them under LoginWall-XyXYXY/assets/. Those pages are crafted by mixing your site content and the spammy content to make the spam look more legitimate with the main goal to increase links and visits to other sites to make money.

That’s the basic version of the fake LoginWall plugin. However, we also found another version of the malicious content that embedded itself directly on the WordPress database. This new version is even trickier to spot because part of it is encoded in base64.

If you want to check for this hack, then you’ll need to go to your database and view your wp_options table. Check every entry that has the autoload option and if you see entries like the following code, the malware payload has infected your site:

An example of a malware payload
There are also some other encoded entries. To get rid of these entries, first make a backup of the database (better safe than sorry), and then remove those records.

Conclusion

It is important to understand that all unprotected websites can be hacked. The key for site owners is to be aware of this and then to put tools in place to quickly identify when a site has been compromised. For instance, if the site that we just cleaned had been using our free plugin, its owner would have received a notice immediately alerting her to the website trouble.

Catching this at the moment it happens allows a website owner to take immediate action, like changing all passwords and removing the malicious plugin. It also keeps Google (and other search engines) from potentially blacklisting a domain and affecting customer trust in that domain or brand.

Scan your website for free:
About Rafael Capovilla

Rafael is a Senior Security Analyst at Sucuri, Inc, currently leading the Website Firewall Support team. He loves IT security in general but his real passion is being able to dig into logs to do research, analysis, and correlation of web-based malware and evasion techniques. When not working, he is cooking some ogre-type food. Find him on Twitter @rmcapovilla.

  • Denis Sinegubko

    Just a note, actually such “added” spammy sections on your site may result in Google marking your sites as “may be hacked” in search results. So don’t forget to regularly check your site search results in Google and look through reports in Google Webmaster Tools where you may notice suspicious search requests and indexed pages.

  • javy

    I’ve also found some base64 encodings in index.php in doc root, FYI for anyone who may be trying to clean this up.

  • H.S.

    “Eventually, you start to see the pattern.” or go crazy.

  • John R

    A customer got hacked with the “Christian-Loboutin” spam links being displayed to Google by the site’s default index page. This was NOT a wordpress site. It was an IIS server. Cleaned once, along with new passwords on all accounts (domain, host, ftp, email) associated with the site. A week later the code was again injected into the index page. In addition, amazingly, the hacker registered themselves with Google webmaster tools, loaded Google’s identification file, and Google approved them as an official webmaster of the site! Cleaned all that again, and scolded Google for participating in the hack job. The client did have some very old FrontPage files on their host, so that was removed. Safe for 2 months.