Beware of Fake Social.png’s That Come With Pirated Plugins!

Watch out for CryptoPHP, a threat that uses backdoored

Joomla, WordPress and Drupal themes and plug-ins to

compromise webservers.

Just came across an incidence of a malicious executable social.png that got loaded with a plugin that created a lethal infection of a Word Press Website. Lesson learned from it is to NEVER use pirated plugins. It is not worth it. Also, it may have ramifications for webservers.

The person who went through this experience is above average WordPress literate, is careful with plugins, and has WordFence loaded on her WordPress site. Wordfence found the social.png, but by the time she learned about it from Wordfence the Data Center that was hosting her account had picked up on the “CryptoPHP” exploit, and the account was immediately suspended without an option to make a backup. Looks as though it is so lethal Wordfence could not stop it. The social.png replicates itself and is very difficult to root out.

A comprehensive White Paper by FoxIT’s Security Research Team has dubbed the exploit “CryptoPHP”.  CryptoPHP is a threat that uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social engineering site administrators into installing the included backdoor on their server.…srt-v4.pdf

Said the person who had been caught by this exploit:

The article helped me to see what happened. The include command was in the functions.php file of the Modern Blogger Pro theme, which is one of a few themes I loved and purchased thinking that I would see which one fit best for my general blog, then use another on my photo blog, and another on my music blog. This particular theme was the ONLY one not bought from StudioPress, but a 3rd party as a “trial” for much less. Lesson learned!

FoxIT’s White Paper provides a comprehensive list of Websites that are being used by perpetrators to distribute the CryptoPHP backdoor.  Definitely a must read for users of Word Press, Joomla and Drupal scripts.

To remove this malware is almost impossible as it keeps replicating itself. General advice to Admin is not to take chances, to suspend the infected Website with no option for a backup to be made. So a further lesson here is to ALWAYS make backups. In this case the person who had been affected had to start her Website completely from scratch.

When I Googled the removal of the malware, I did find a Word Press Plugin of which the author, ELI, claims can catch all the CryptoPHP infected files. HOWEVER, there would be a real possibility of the Website breaking and one would never be sure whether all of the infected files have been caught. Here is a link to the discussion:

Says ELI:

The tricky problem with this code is that the social.png files are included elsewhere in the PHP code of your site, so if you delete these PNG files it could break your site. If my plug can find where it is included and remove the malicious code, then the PNG files are harmless since they cannot be executed without being included elsewhere.

ELI provides the following quick step-by-step guide to resolving this issue:
1. Download and install  ELI’s plugin.
2. Download the latest Definition Update with-in the plugin Settings page.
3. Run the Complete Scan on the whole site.
4. Click “Automatically Fix…” if any Know Threats or Back-doors are found.
5. Once the include injections are removed you should be able to safely delete all of those social.png files, but if your site breaks when you delete them then you will either need to put them back and scan again or check your error_log to see where they are being included from.