What to do about WP-Base-SEO

A new piece of WordPress malware has been discovered disguised as an SEO plug-in called WP-Base-SEO. The malware…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

plug-in has the ability to create backdoors on infected WordPress accounts. How does this new WordPress malware work, and are there any ways for users to identify fake or malicious plug-ins?

It’s never been easy to evaluate potentially malicious software, and the stakes continue to get higher. App stores adding minimal security checks have made it somewhat easier, but you’re stuck in the walled garden of the app store vendor. While this can protect end users, it doesn’t help when what you need isn’t in the app store.

There is a WordPress app store that offers thousands of plug-ins for websites using WordPress, but it has minimal criteria for hosting plug-ins.

Jessica Ortega, web security research analyst at SiteLock LLC, a website security company based in Scottsdale, Ariz., wrote about a malicious SEO plug-in for WordPress. Ortega noted that the code looks legitimate based on the header comment in the code.

However, as SiteLock researchers analyzed the code, they identified potentially suspicious functionality that could create a backdoor on the infected WordPress install. One of the simple obfuscation steps the WordPress malware authors used in the plug-in was to use the code $myfunc = ‘bas’ . ‘e64_’ . ‘dec’ . ‘ode’; to hide the usage of the PHP base64_decode function, which decodes data that was encoded using the Multipurpose Internet Mail Extensions base64 binary-to-text encoding scheme.

Something like this should seem out of place in a potentially legitimate plug-in, which could alert your Spidey sense that something is wrong. However, it is very difficult for nontechnical people to evaluate code at this level, so relying on app store security checks and user feedback may be the best some users can be expected to do.

Malicious programs masquerading as legitimate software, such as this WordPress malware, is not uncommon. Enterprises should encourage their app stores to incorporate security into the entire ecosystem and to add additional checks of the application and the developer to improve trust in the store. While there may be increased costs, enterprises may be willing to pay for the time savings from not needing to spend as much time evaluating software.

Enterprises may even want to collaborate within their industry peers or Information Sharing and Analysis Centers to share this information. The SiteLock Research Team also mentioned using a service or application to check website security, which is good advice.

Next Steps

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Have a question for an expert?