Reversing some WordPress malware

Last Updated on August 1, 2017 by Dave Farquhar

Aug 2016 update: Back in 2015, some kind of spam bot wormed its way into my site. I quickly cleaned it up, then decoded the attack and posted details here. Not long after, the spambot started directing traffic to this post, because it contains enough of the magic words, I guess. Only instead of serving up spam, it’s serving up my analysis. I’d rather you read this than spam, so I’ve left this page up.

On to the original post…

A few minutes ago I received an alert that some files had changed on my site (thanks to All-In-One WP Security). But I hadn’t changed anything and WordPress hadn’t updated itself.

Here’s what I found, and how I fixed it.

First, here was the message:

A file change was detected on your system for site URL https://dfarq.homeip.net. Scan was generated on Thursday, August 6th, 2015 at 5:25 pm

A summary of the scan results is shown below:

The following files were added to your host:

/var/www/nzspm.xxx (modified on: 2015-08-06 17:24:39)
/var/www/wp-includes/pomo.php (modified on: 2015-08-06 20:07:27)
/var/www/.cache.php (modified on: 2015-08-06 22:00:01)
======================================

The following files were changed on your host:

/var/www/wp-includes/functions.php (modified on: 2015-08-06 20:07:18)
======================================

Login to your site to view the scan details.

Every one of those filenames looks shady for one reason or another, except for functions.php which is a standard file, but shouldn’t be modified. So I made backup copies of the three new files in my home directory, far far away from /var/www, then I deleted them. Then I visited my site and got the dreaded white screen of death, which wasn’t entirely surprising.

I opened up functions.php and searched for references to the suspicious filenames. I found a reference to pomo.php in the XMLRPC section. I made a backup copy of that file, again in my home directory, then deleted that entire codeblock.

That restored enough functionality that I could load my admin page. So then I visited my admin page, re-installed the current version of WordPress, and that restored a proper functions.php file.

I have no idea what this malware does yet. I’ll have to take a look and see if I can figure it out.

If you run a WordPress blog, I strongly recommend you check for the existence of these files and follow my remediation steps if you find them.

I also took the additional measure of enabling the advanced character string filter in All-in-One WP Security’s firewall, along with the 5G firewall. I’ve had problems with this breaking some functionality in the past, but for now I want the additional protection and if my site looks like it’s 1995, that’s OK for now.

Update 5:49PM: I zipped up the files and uploaded them to Virustotal, which produced the following output:

Searching for php.dkshell led me to Sourceforge, which suggests this is something from the Indian Cyber Force team.

Then I realized I hadn’t done an apt-get update ; apt-get upgrade in a little while, so I did that. Apache was a bit behind; perhaps that’s how they got in. But the source of the attack makes me a bit uncomfortable. Needless to say I reached out to a couple of former coworkers to see what they think.

Update 6:00 PM: One of the things this does is find your admin account and change it. They got my admin account, but it was a decoy so they couldn’t do much with it. Here’s what they changed it to (I’ll decode it later when I have time).

$admin_name = ’27a0e2015f9087981c0b95a29fc4ba57′;
$admin_pass = ‘9413c48772f73d5c305b65eb58a06f9c’;

Update 9:30 PM: I no longer believe they’re actually compromising the WordPress admin ID–I think this thing, whatever it is, is running its own authentication system and those are MD5 signatures for the username and password they’re using. The user ID decodes to ‘902239’ and I didn’t find that user ID in my database. The password decodes to ‘FSmakovSHELL’.

I think they’re using vulnerabilities in WordPress, Joomla, or Vbulletin to get in, then they’re leaving these files behind and using them either for command and control or as zombies.

If anyone else has found these files and wants to share notes, I’m perfectly willing. The files contain very heavily obfuscated PHP so it’s not entirely clear what they’re doing, but nzspm.xxx has some kind of authentication system in it and the capability to create files and directories. It seems too complex to just be a dropper. I think pomo.php is the dropper, and I’m not sure what .cache.php is doing besides playing games with the system time, because it’s just one line.

Update 10:30 PM. I was able to de-obfuscate some of the code using http://www.unphp.net/ and, thanks to that, find another indicator of compromise: a file in /tmp/f16f9a406c937f83b17317e1ca6cc3e7 containing a long list of IP addresses. So I removed that file as well.

I’m not exactly conducting a professional-grade investigation on this, as I know I’ll never find and prosecute whoever did this. But if you want to know the methodology, this is roughly what I follow:

Coral up any suspicious files and get them out of harm’s way as quickly as possible so as to preserve the computer they were on.

Find out what I can about the files from Virustotal. It’s a good source for easy clues and it tips off Google and virus makers about potentially malicious files.

Examine the files in a text editor for clues about what they do. Non-malicious PHP code doesn’t have anything to hide; even a non-programmer ought to be able to puzzle out its intent. Deliberately misleading and cryptic code is likely to be malicious.

Look for variables that appear to be user accounts, figure out how they are encoded, and reverse them.

Decode the cryptic code using a code de-obfuscator to look for other clues and files they may have stashed elsewhere.

If you can do this in a couple of different languages (PHP, ASP, and VBscript are good candidates) and enjoy adrenaline rushes, there is no shortage of job opportunities out there for you.