Using pirated software is bad. You know that…well, at least I hope that you do. Pirated music, software, books…the creators don’t get paid for them, and you likely are getting a nasty extra payload along with the freebie. In the web development world, this can take the form of themes and plugins for your content management system. There are several sites out there that host illegal copies of premium themes and plugins for free download…things like WooCommerce add-ons or themes, for example. These are called nulled scripts.
What are Nulled Scripts?
Basically, it’s software with the copy protection stripped, the same as a music or movie torrent, only specifically focused on code packages for your website. Nulled scripts exist for just about any content management system that you can think of, and people use them more than you might think. Ethically, this is a huge issue, because the creator isn’t compensated for her work. Practically, this is an issue for you, because you often open yourself up to untoward nastiness. That’s the case with CryptoPHP.
CryptoPHP: An Equal Opportunity Threat
Fox IT discovered what we’re now calling CryptoPHP, and published a thorough whitepaper on the exploit. This threat has been in the wild for at least a year, and has infected WordPress, Drupal, and Joomla sites. Basically, the author of the exploit packages the malicious code with a plugin or theme that’s posted on one of the sites giving them away illegally, the code activates when you install the package, and the ne’er-do-well now has a backdoor to your server.
How Does it Work?
The malicious code that makes the backdoor connection to the bad guy’s server isn’t easy to spot. Essentially, each nulled script contains an include that is pulling in a file with an image filetype, which would appear something like:
That should raise an eyebrow, because an include statement isn’t used to bring is image assets, it’s used to bring in other code. The image file that the include statement pulls in is actually scrambled PHP, and it’s this code that sets up the connection between your site and attacker. From a WordPress perspective, the exploit writes records to your database, and hides itself when logged in so as to not be easily detectable. The whitepaper details the connection procedure in detail.
Fox IT estimates a vast majority of the themes and plugins on the sites that they researched are infected with this exploit.
What’s the Damage?
Right now, the exploit appears to be used primarily for black hat SEO by means of injecting links into the content of the site using the nulled script. Theoretically, this exploit could be leveraged for a full-blown botnet, as WordFence points out in their post on the subject. The point is that you don’t want anyone but you accessing your server. Cleaning up the fallout of having your SEO trashed by some black hat tactics could easily be the least of your concerns.
Am I Infected?
The first telltale sign is odd HTTP POST requests from the server where your site is hosted. If you’re seeing posts with no referrer or no user agent, for example, this is a red flag. FOX IT also details significantly different timestamps in certain files of the theme or plugin. In WordPress, the code snippet similar to the one above is generally located in the nulled script plugin’s main script page, or in functions.php in the case of a theme. In Drupal, the code snippet is in the template.php file. In Joomla, look in the plugin’s main script, or in component.php. A manual inspection of these files, or a quick grep from the command line should give you an idea if the nasty code is lurking in your site.
WordFence has updated to catch the most recent version of the exploit, and Fox has created Snort IDS signatures and published detailed detection information in their whitepaper.
Feel free to get in touch with me if you’re concerned about your site, and I’ll help you look for signs of the exploit. And, yes, I will insist that you stop using nulled scripts.