Fox-IT based in Delft in the Netherlands just published some amazing research regarding an increasing threat to content management systems they’ve named CryptoPHP. If you’re technically minded and want as much detail as possible, I recommend you skip this blog entry and head straight over to the Whitepaper that Fox-IT has published on the CryptoPHP backdoor (It’s 50 pages). I’ve summarized the details:
CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise web servers. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.
Nulled scripts are being distributed via several websites as well with a sophisticated infection pre-installed. Nulled scripts are commercial web applications that you can obtain from pirate websites that have been modified to work without a license key. They are the web equivalent of pirated software. Fox-IT have dubbed it CryptoPHP because of the fact that it encrypts data before it sends it to command and control servers.
The infection is relatively simple: Inside the CMS software, either WordPress, Joomla or Drupal, there’s a little line of code that looks like this:
<?php include('assets/images/social.png'); ?
Or like this:
<?php include('images/social.png'); ?>
If you’re a PHP developer you will immediately recognize this as looking strange: It is a PHP directive to include an external file containing PHP source code, but the file is actually an image. Inside this image file is actual PHP and the code is obfuscated (hidden through scrambling) to try and hide the fact that it’s malicious.
Fox-IT has determined that the purpose of the malware is, currently, to engage in black-hat SEO by injecting links to other, presumably malicious, websites into your content. However this infection is sophisticated and it communicates with command and control servers that can instruct it to do a variety of tasks including the ability to upgrade itself. So this is a classic botnet infection which turns all infected websites into drones that can be instructed to do just about anything, from sending spam email to SEO spam to hosting illegal content to performing attacks on other websites.
The researchers think they may have identified the location of the author. Inside the code of the malware is a user-agent (browser) check that checks to see if the web browser user-agent equals ‘chishijen12′. If it does, then the application is instructed to output all PHP errors to the browser, presumably for debugging purposes. Fox-IT found an IP address that is associated with that user-agent and the IP is based in the state of Chisinau in Moldova. The name of the state is similar to the user-agent string, which gives their theory some credence.
The capabilities of the CryptoPHP backdoor include:
- Integration into popular content management systems like WordPress, Drupal and Joomla
- Ability to update itself
- Public key encryption for communication between the compromised server and the command and control (C2) server
- Backup mechanisms in place against C2 domain takedowns in the form of email communication
- Manual control of the backdoor besides the C2 communication
- An extensive infrastructure in terms of C2 domains and IP’s
- Remote updating of the list of C2 servers
- Viewing error logs and statistics of your web site
You can find the full white paper discussing this new threat here and it includes quite a bit of technical detail if you’re a developer or information security researcher.
Please help spread the word about the danger involved in downloading or distributing nulled scripts and help keep the community safe.
What We’ve Done For Our Customers
AISO.Net is always working to ensure maximum security for our customers. Here’s what we’ve done since learning about the CryptoPHP backdoor.
- Our real-time web security rules (WAF) to protect against this security issue where updated November 21, 2014 automatically.
- Updated the IDS/IPS systems for security issue call to home to detect when and which server is infected.
- The attackers are unable to compromise the server or any client sites’ besides the infected site due to our user level virtualization.
What You Can Do to Protect Against These Kinds of Infections
- Download & use plug-in’s that are from reputable & verified sources.
- Ensure the latest versions of plugins & core CMS code is up to date.
- Download security scanning tools such as iThemes Security or WordFence