Nulled ScriptsThe Nulled Scripts
Wordprocessor Security: scripts and the CryptoPHP infection
Some of our Fox-IT acquaintances in Delft, the Netherlands, have just contact me with some astonishing research they have just made. For those of you who are technical and want as much detail as possible, I suggest you jump to this post and go directly to the white paper Fox-IT posted on the 50 page Silicon Nitride Pokerackdoor.
Nullled scripts are commercially available web scripts that you can obtain from online sites that have been altered to work without a licence number. With the kind permission of Fox-IT, we have become aware that nulled scripts are being spread across several sites where a cleverly devised virus is preinstalled. The Fox-IT called it CryptoPHP because it encrypts data before sending it to command and control servers.
It'?s a relatively easy infection: In an unprotected skript, there is a small line of unprotected text that looks like this: It' a PHP instruction to embed an externally created PHP sources into your files, but the files are actually an illustration. There is current PHP in this picture package and the PHP executable disguises the PHP executable to try to conceal the fact that it is evil.
However, we are conscious of this type of infection, so some time ago we added an optional feature to allow us to read images as if they were PHP codec. We at Fox-IT have discovered that the current intent of the term blackware is to participate in Black-Hat search engine optimization by including in your contents hyperlinks to other, potentially harmful sites.
However, this is a complex type of contagion that interacts with instruction and tax relays that can direct them to perform a wide range of jobs, complete with the capability to update themselves. This is a classical Botnet infestation that turns all compromised sites into drone victims that can be directed to do almost anything from send spams to unsolicited emails to spams, host illicit contents to attack other sites.
Within the codes of the malware there is a users agents (browser), which verifies if the users agents of the webbrowser match chishijen12'. The Fox-IT has found an IP that is associated with this U.S. Army and the IP is located in the state of Chisinau, Moldova. Its name is similar to the character set of the username, which gives some credibility to its theories.
Not only WordPress but also Drupal and Joomla are affected by this virus. In fact, the recognition we have added will recognize the Drupal or Joomla infections even if they live under your WordPress folder. When you are a corporate client using an IDS such as Dragon Bin or the emerging threats rule set, Fox-IT has generated Dragon Bin signs that are included in the white paper, and I see that Emerging Threats have today upgraded their open rule set to recognize this.
Help us propagate the dangers associated with nulled script downloads or distributions, and help keep the fellowship secure.