CryptoPHP: Analysis of a hidden threat inside popular content management systems


CryptoPHP

Update: We’ve published statistics on CryptoPHP and some advice: CryptoPHP a week later: more than 23.000 sites affected

CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.

After being installed on a webserver the backdoor has several options of being controlled which include command and control server communication, mail communication as well as manual control.

Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:

  • Integration into popular content management systems like WordPress, Drupal and Joomla
  • Public key encryption for communication between the compromised server and the command and control (C2) server
  • An extensive infrastructure in terms of C2 domains and IP’s
  • Backup mechanisms in place against C2 domain takedowns in the form of email communication
  • Manual control of the backdoor besides the C2 communication
  • Remote updating of the list of C2 servers
  • Ability to update itself

We’ve identified thousands of backdoored plug-ins and themes which contained 16 versions of CryptoPHP as of the 12th of November 2014. Their first ever version went live on the 25th of September 2013 which was version 0.1, they are currently on version 1.0a which was first released on the 12th of November 2014. We cannot determine the exact number of affected websites but we estimate that, at least a few thousand websites are compromised by CryptoPHP.

Read all the details in the whitepaper: CryptoPHP-Whitepaper-FoxSRT

33 thoughts on “CryptoPHP: Analysis of a hidden threat inside popular content management systems

  1. Hi Team,

    Like to make sure do we have any scanning tool / scripts to cross verify whether my list of websites got infected by CryptoPHP. I Manage more than 2000 websites which uses the same CMS, hence the manual cross verifying is highly impossible and time consuming. Hence need an expert advise on the same

    Thanks —

    • We recommend administrators to check for any social.png files on their servers. The following *NIX command will find all social.png files and output it’s file type:

      find -L / -type f -name ‘social.png’ -exec file {} +

      The output would look something like this if it’s a possible backdoor:

      /tmp/social.png: PHP script text

      We recommend checking the contents of the file if it’s a PHP script text instead of a PNG file. For this you need access to the server. If you do not have direct access to the server’s filesystem we suggest talking to the hoster of the servers to get these checks done.

      Cleaning CryptoPHP backdoors from existing CMS installations is something we do not advise. If you find a backdoored installation, we suggest you to perform a clean install with all new passwords. CryptoPHP inserts extra administrator accounts as well as configuration data into the CMS database. We have also found hat CryptoPHP can steal user credentials by injecting malicious javascript into the CMS login pages.

      • hi thanks for your solution i tried to run find -L / -type f -name ‘social.png’ -exec file {} + but it generate some loop error so i use ‘find’ all social.png its around 10 files out of it 6 was realy image file rest 4 was php script file i removed and suspend accounts (2 were affected) now should i consider my server does not have CryptoPHP ?

        should i try unblock my server ?

  2. analysis is fine but what is resolution? sever have over 200 site in wordpress and other cms how to check individual account even maldet(latest updated) do not show anything on it on server

    • hey here is recent update from CBL team

      Please see our updated lookup page for your IP.

      There are a number of scanners that can be used on web servers to try to find malicious PHP and Perl scripts, such as rkhunter etc.

      With the assistance of others, we’ve written a simple perl script called findbot.pl that searches for such things as r57shell, cryptphp etc. It will search your system can find potentially dangerous scripts.

      As it’s very simple-minded you will have to carefully inspect the files it finds to verify whether what it finds is malicious or not. Be aware of the file types – finding executable code fragments within “.png” or “.jpg” files is clearly demonstrates that the file is malicious.

      In order to use findbot.pl, you will need Perl installed.

      Install perl if necessary
      Download findbot.pl
      Follow the instructions at the beginning of the findbot.pl file

  3. Hi Fox,

    Can you suggest how can we detect instances of this CryptoPHP? Right now one of our servers with hundreds of different websites on it is listed by CBL (and subsequently by SpamHaus due to an alleged detection of this CryptoPHP) and we don’t even know where to start our search.

    Kind regards,
    Andy

  4. This is for a linux system and a little crude, but here’s how I found our culprit:

    for r in `locate social | grep png`; do file $r; done | grep PHP

    — Mike

  5. In my brief experience with this new pest, grepping the entire /home (/home/*/public_html for cPanel servers) for is apparently reliable (though rather crude). But even better is to md5sum all social.png files on the server (find /home/*/public_html -type f -name social.png -exec md5sum {} \;) and compare it with the md5 hashes in the white paper. The matches are sure hits.

  6. First of all: a big thumbs up for your excellent and thorough analysis of this new backdoor. I am currently writing a blogpost for my website to inform WordPress users about this threat and to advise them how to behave regarding themes and plugins with regards to this new threat. This may likely not be the last instance of this social engineering technique we will see, so what I am trying to do is make normal users aware of some do’s and don’ts when installing themes and plugins on their WordPress sites.

    Scanners are of course useful and necessary and scanning should ideally kick in automatically the moment a plugin or theme is being installed on a WordPress install. I don’t know if such a scanner already exists, otherwise this would be a nice software project (Virus Scanning Plugin And Theme Loader). Or perhaps this should be a core function developed by the WordPress team.

    Another approach would be to publish a list of infected plugins and themes. In the executive summary of your paper you state “We’ve identified thousands of
    backdoored plugins and themes which contained 16 versions of CryptoPHP as of the 12th of November 2014”. Is there a list of these plugins and themes somewhere online where users can be pointed to, and if so will it be maintained and actualised on a regular basis?

    Finally, an offline scanner would be handy too, so people could install themes and plugins by downloading them first, scan and then when they passed the scan install them through the WordPress install-by-upload system. This too would require change of user behaviour and such is as we all know no guarantee for succes. If this threat can be mitigated by technical means that would be the preferred solution.

    Once again: thanks a lot for your thorough work!

    Erik de Vries
    wpwebbouw.nl

    • Hi Erik,

      We’ve just published an update with statistics as well as tools to scan locally as well as remotely for CryptoPHP. A plug-in for WordPress that detects CryptoPHP amongst others is already available, its called ‘WordFence’.

      Thanks for your comment!

  7. Hello,
    I have found image or picture files with multiple extensions other than the “social.png” that don’t necessarily have something to do with CryptoPHP malware, but nevertheless contain PHP malware code inside. If either way you’re doing a scan to find the malware code, then I suggest using the find + extensions + grep, like so:
    find . \( -name \*.jpg -or -name \*.png -or -name \*.jpeg -or -name \*.gif -or -name \*.bmp \) -type f -exec file {} \; | grep “PHP script”
    It’s not optimized or made in a script, but it gets the job done and finds other files named differently that are infected. If someone else has some improvements on the command, please post it.

    • Thanks for the tip but why are you grepping for the string “PHP script”? Have you found this particular string in the hidden malware?

      • Hello,
        No problem. Let me try to explain, as this is actually a command line command, if that makes any sense. This is the first part before the pipeline:

        find . \( -name \*.jpg -or -name \*.png -or -name \*.jpeg -or -name \*.gif -or -name \*.bmp \) -type f -exec file {} \;

        This finds all the .jpg, .png, .jpeg etc. extension files and executes the “file” command on each file found in the search. On a normal .png file, the result would be:

        /path/to/file/file.png : PNG image data, 28 x 28, 8-bit/color RGBA, non-interlaced

        But in our case with the CryptoPHP malware, the entry for social.png file would look something like this:

        /path/to/infected/file/social.png: PHP script text

        As a conclusion, the “grep” command lists only the PHP scripts found in the results of the “find” + “file” commands. My point was that if you’re trying to find social.png files that are malware, you should also look for other files that are PHP malware scripts inserted into image (.jpg, .png etc.).

        Please let me know if there is anything that’s not clear enough.

      • I understand the find and grep commands. I was asking why are you using this particular string to grep for: “PHP script”. I guess it was just an example and we need to find ourselves some relevant string to grep for.

      • Well, it was an example. Anyone cand tweak it in any way that suits his or her needs. In my case, I was only interested in this result, hence the grep:

        /user/public_html/wp-content/themes/themename/images/file.png: PHP script text

        As I said before, I used this because there are other image extension files that have PHP malware code inside them.

    • Apologies I meant this one worked for me. As Andrei says, some malicious scripts had double extensions. So this command worked well in csh on FreeBSD

      find . \( -name \*.jpg -or -name \*.png -or -name \*.jpeg -or -name \*.gif -or -name \*.bmp \) -type f -exec file {} \; |grep “PHP script text”

  8. We also have a server with 100 sites. We have found multiple domains that have social.png on them. One has it 4 times in different directories. Can this travel within the server?

    • Hi Bert,

      It is most likely that the website owner has installed multiple backdoored plug-ins and themes. Every one of these will be an active CryptoPHP backdoor.

      • Just a note: we have found in one case the social.png backdoor directly in a joomla folder. The include of the backdoor was right into the index of the Joomla installation (at the bottom, after the closing PHP endtag). Don’t know how it appeared there though.

  9. I was having this same problem in several shared servers with more than 2,000 sites in each. to the solution realized the lock on the firewall of IPs below.

    192.42.116.41
    192.42.119.41

    • Hi Caio,

      We do not advise you to block the sinkhole IP’s. This does stop you from being listed on Spamhaus and its CBL but the CryptoPHP infection’s are still there!

  10. I am a technical guy at webhostinglahore.com, one of our deducated server get victimized by this malware, i just ran this command

    for r in `locate social | grep png`; do file $r; done | grep PHP

    Found 6 culprit websites with social.png as PHP script text despite images, simply removed those files and things are now under control.

    one may also check replacing png with jpg or other image formats.

    • It was mentioned above that it was simply not enough to delete the file. That you needed to removed the installed CMS. Can someone comment whether this is the still the recommendation?

    • Please try and run the command below:
      find . \( -name \*.jpg -or -name \*.png -or -name \*.jpeg -or -name \*.gif -or -name \*.bmp \) -type f -exec file {} \; | grep “PHP script”

      It should find all CryptoPHP files. Let me know if it worked.

  11. Script check_url.py is not finding anything on the server and we are still getting blacklisted.

    Any ideas? maybe social.png is not social.png anymore?

  12. But since I only obtained themes and plugins from my server host, except for buts of code I wrote myself, how can I account for contracting it on my server. It seems unlikely a large and reputable host would purchase pirated versions for redistribution.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s