Dutch IT company Fox IT have released a white paper describing a hidden threat that exists inside popular content management systems called “CryptoPHP“. Whilst this threat has been around for a while, there has recently been a massive increase in the number of infections.
The white paper is very complicated, so probably only interesting if you are more technically minded. We have summarized the threat below.
What are Nulled Scripts?
Nulled Scripts are when a piece of code has its copy protection removed. An example of this is a Pro WordPress theme or Plugin that may have a serial key which when entered will give access to the plugin theme, paid features or simply just entitle you to the free upgrades.
Nulled scripts are essentially the same piece of software, but with the copy protection removed. Of course, this is illegal, but you will find many places that will advertise free or downloadable software, such as torrent sites. You will quite often find a huge library of free Premium WordPress themes and plugins, but as you will see below, there is no way of knowing whether other more malicious changes have been made to these files.
One such change that is becoming more and more popular is the CryptoPHP Infection.
What is a CryptoPHP Infection?
This is the deliberate infection of nulled scripts. It most commonly occurs in “Free” Premium WordPress Themes or Plugins, offered by dubious sites to people wanting to pirate something that would otherwise cost money, for free.
What makes CryptoPHP so dangerous is that it encrypts the malicious code so it is not readily apparent… unless of course you are specifically looking for it.
An example of such an infection is a line of code similar to:
The include function is used to include other PHP scripts, so what makes this so suspicious is that an image is being included. You certainly wouldn’t include an image like this in a php script.
If you looked closer at the image file you would find that it is actually some php code disguised as an image file and as such many malware scanning programs or plugins do not check image files.
In the image above, you can see the obfuscated malicious PHP code.
Whilst we have only mentioned WordPress related examples, the infection can be contained in any php script. So sites running Joomla, or Drupal among others, may similarly be affected.
What does it do?
The Fox IT white paper found that the CryptoPHP Infection caused the insertion of spam and malicious website links into the infected websites content. This can significantly affect your Google Ranking over time, but is primarily designed with Black Hat SEO in mind… i.e. using links from your site to artificially increase the ranking of other sites.
Quite often the scripts can be quite clever at masking themselves, so even if you do not think that you are infected it is still worth doing a scan (see below).
How to fix your site if it is infected?
As we mentioned above, many malware scanning sites or plugins do not specifically check for this type of infection. For this reason we recommend using Sucuri as your website scanner of choice, as not only do they scan the include() statements but they scan the image files as well. To double check this we contacted Sucuri, who had this to say:
Best Host News:
Hi, does your scanner detect for CryptoPHP infections, either by scanning the include statements or scanning image files directly?
Hey there. Yes. It can detect all kinds of infections and our tech can clean all of them.
Furthermore, if you do find you are infected, they can clean up any infection as well from just $99 for a whole year of cover. This means not only will they clean up the initial infection, but if it reoccurs (or any other infection occurs) within the year they will clean that up as well at no extra cost.
Choose a host that takes Security Seriously
Another thing we would recommend if you are concerned about your site being hacked, is to choose a host that focuses on website security. SiteGround for instance took a proactive approach to the white paper that was released and scanned their servers looking for all the sites that were infected by CryptoPHP and limited access to the nulled scripts. SiteGround are then applying a server-wide protection to ensure that any future CryptoPHP infections are prevented.