wp-vcd.php 파일의 이름을 딴 WP-VCD 멀웨어는 WordPress 공간에서 상당한 혼란을 야기하고 있습니다. 1년 전 보안 위협 인텔리전스 팀에서 처음 탐지한 이후로 이 멀웨어는 진화하고 더욱 정교해졌습니다. 다음은 이 악명 높은 맬웨어의 진화와 웹사이트에서 wp-vcd 맬웨어 감염을 수정 및 방지하는 방법에 대한 연구입니다.
WP-VCD 악성코드의 증상:
- WordPress에 추가된 새 관리자: 해커가 WordPress에서 관리자 권한이 있는 사용자로 자신을 추가하는 것을 보았습니다.
- 높은 리소스 소비: WP-VCD 멀웨어는 서버 리소스를 소비하는 것으로 알려져 있습니다. 우리는 또한 호스팅 회사가 '높은 리소스 사용률'을 이유로 계정을 일시 중지하는 것을 보았습니다.
- 웹사이트 로드 시간 감소: 종종 이 맬웨어에 감염된 웹 사이트의 로드 시간이 부정적인 영향을 받습니다. 어떤 경우에는 일반적으로 로드하는 데 2-3초가 걸리는 웹사이트가 로드되는 데 30초 이상 걸리는 것을 보았습니다!
- 알 수 없는 자바스크립트 코드: functions.php, index.php와 같은 일부 중요한 WP 파일 또는 거의 모든 핵심 WP 파일에 알 수 없는 자바스크립트 코드가 추가된 것을 보았습니다. 두 번째는 일반적으로 수정해야 하는 악몽으로, 종종 웹사이트를 악성 도메인으로 리디렉션하기도 합니다.
- 핵심 폴더 내의 악성 PHP 코드: 'WP-VCD' 코드는 워드프레스의 다양한 위치에 추가됩니다. 이것은 멀웨어의 이름이 유래한 곳입니다. 이름에서 파일이 WordPress의 일부라고 가정할 수 있지만 코드 분석에서 악성 코드로 판명되었습니다.
다음은 Astra Security의 맬웨어 스캐너에 의해 표시되는 wp-includes 디렉토리에 잘 숨겨진 WP-VCD 맬웨어의 예입니다.
WP-VCD 바이러스 감염의 주요 원인:
일단 감염되면 감염을 제거하고 WordPress의 방수 보안을 유지하는 것이 중요합니다. 동시에 처음에 감염의 원인이 무엇인지 아는 것도 똑같이 중요합니다. 우리가 확인한 몇 가지 진입점은 다음과 같습니다.
- 해적판 및 무효 테마: WP-VCD 멀웨어는 유료 테마/플러그인의 불법 복제 버전이 사전 설치되어 제공됩니다. 이러한 nulled(해적판) 테마 및 플러그인에는 설치 시 배포되는 악성 스크립트가 포함되어 있습니다.
After setting its foot on your website through a nulled theme, it goes on to infect every other theme on your site. In the case of a shared server, this malware then propagates to infect each unprotected site hosted on that server. That’s why we often see this malware infects all the websites on the same server when they aren’t containerized.
- Un-updated plugins &themes: This is one of the top causes of almost all WordPress infections. However, updating all the themes/plugins after the infection has happened doesn’t mean the infection would go away. Cleaning the infection is still required and so is ensuring proactive security, more on it below.
- No proactive security on the website: Truth be told, hackers have evolved their techniques over the years. They gain thousands of dollars from such hacks, which means that they can spend hundreds of dollars automating these hacks to infect thousands/millions of websites at once.
To protect against such evolved WordPress hack techniques, a small investment in a security tool goes a long long way. Saves you headaches at times like these and prevention of SEO/marketing/sales loss from the downtime is another added benefit.
How exactly does the WP-VCD malware work?
[some technical (yet super important) jargon ahead]
It’s really important to understand what exactly does WP-vcd does and how it’s able to slow your website eating up all your precious server resources.
When malicious code is inserted in your website, it usually sits in core files like functions.php/index.php. Now, this malicious code makes a call to files within your website. When your website is opened from the browser, it tries to reach the files to which malware is making the call. And these files may or may not exist on your website causing the functions.php to get executed again. Essentially bringing the website loading process to a big loop. This, in the security language, is called a ‘forkbomb’.
Step 1:Deploys malicious scripts
In the functions.php file within your theme, you would see some code similar to this:
<?php if (file_exists(dirname(__FILE__) . '/<b>class.theme-modules.php</b>')) <b>include_once</b>(dirname(__FILE__) . '/<b>class.theme-modules.php</b>'); ?>
This code checks if there are deployer scripts available and subsequently executes them. As you can see in the code above, the file that’s been called is the class.theme-modules.php 파일. Now, depending on where the infection emanates from (i.e. theme or plugin), the malicious script will be in file class.theme-modules.php or class.plugin-modules.php respectively.
Step 2:Creates backdoor
<?php
//install_code1
error_reporting(0);
ini_set('display_errors', 0);
DEFINE('MAX_LEVEL', 2);
DEFINE('MAX_ITERATION', 50);
DEFINE('P', $_SERVER['DOCUMENT_ROOT']);
$GLOBALS['<b>WP_CD_CODE</b>'] = 'PD9waHANCmVycm9y...(base64-encoded string of PHP code)
...
This code creates a new admin user with a name similar to 100010010 . The objective of this backdoor admin account is to make sure that the hacker is able to access the website even if you delete the malicious code basically, so that the attackers could attack your website at a later point in time.
Step 3:Gets instructions from hackers
Sometimes hackers inject URLs of their C2 servers. These URLs are later called to deploy action across the infected sites in one go. Domains such as www.krilns[.]com/code.php , krilns[.]pw , krilns[.]top , etc have been found executing this in many WP-VCD infected sites.
Step 4:Infects other files and sites
The next thing that the WP-VCD malware does is to expand itself. It deploys the malicious script in every theme and plugin on your site. Next, it goes on to find vulnerable sites on the same server and infects them too.
This propagation starts with the deployment of a script located at wp-includes/wp-vcd.php
. It’s followed by modifications in the core wp-includes/post.php which at last execute the code in wp-vcd.php on every page.
How to fix &remove the WP-VCD WordPress malware?
- Finding &removing malicious code: There are a few places where probability of finding the malicious code is high. Though, hackers often try to improve their ways to hide the malware more creatively still these files/folders on your server are worth starting the hunt from:
- wp-includes/wp-vcd.php
- wp-includes/wp-tmp.php
- wp-content/themes/*/functions.php (all themes installed on the server whether active or not)
- class.wp.php
- code1.php
- class.theme-modules.php (inside the theme folder)
- Searching malicious string patterns :Searching for string patterns that are found in infected malware files helps you in narrowing down the search. A few of them mentioned below:
- tmpcontentx
- 함수 wp_temp_setupx
- wp-tmp.php
- derna.top/code.php
- stripos($tmpcontent, $wp_auth_key)
- Analyze functions.php: This file is one of the top infected files by hackers. Reviewing the code in functions.php can reveal the controlling code of wp-vcd malware.
- Run a diff check to ensure code authenticity: Run a diff check of the file contents on your server with corresponding files in the WordPress core GitHub repository or theme/plugin directory. You can use either of the approaches (or both) using SSH or using your IDE.
(File difference checking, screenshot from Astra’s malware scanner showing malware added at the top of index.php file)
- Run a malware scan: In such malware infection situations, a malware scanner can save you hours of hunting for malware (which still doesn’t guarantee success). Malware scanner not only scans each and every file of the server but ensures every difference in core files of your WordPress is pointed out.
The WP VCD malware gets a foothold in your site by leveraging loopholes in outdated plugins and themes. In most WP-VCD cases, the web owners infect themselves by installing a free/nulled plugin &themes from unauthorized sources, while in others it occurs as a result of contamination by infected sites.
Related Guide – Comprehensive Guide on WordPress
Tip:Scan WordPress for malicious cod e
One of the biggest lessons to be learnt from such hacks is to ensure your website is secure going forward. Not ending up in a hack situation like this is totally possible using Astra Security Suite that powers security of thousands of websites around the globe, stopping millions of attack and malware every day!