Reversing engineering to a malware wordpress themeIngeniería reversa en un tema wordpress con malware

I was reading the malware concept inside wordpress themes (Anatomy of a theme malware (a brillant post)) and also in Weblog Tools Collection with a excellent video . ¿What about the themes I downloaded? Maybe some of them have a monster in his chest, ready to blow up…

Something's going on on this wordpress theme...

Something nasty inside this theme...

To my concern, a few of them (downloaded from not-so-respectable places) had something like this in the footer.php:

I was reading the malware concept inside wordpress themes (Anatomy of a theme malware (a brillant post)) and also in Weblog Tools Collection with a excellent video . ¿What about the themes I downloaded? Maybe some of them have a monster in his chest, ready to blow up…

Something's going on on this wordpress theme...

Something's going on on this wordpress theme...

 

To my concern, a few of them (downloaded from not-so-respectable places) had something like this in the footer.php:

<?php $_F=__FILE__;$_X='Pz48IS0tIGI1ZzRuIGYyMnQ1ciAtLT4NCg0KPGQ0diBzdHlsNT0iY2w1MXI6Yj
J0aDsiPjwvZDR2Pg0KDQo8ZDR2IDRkPSJmMjJ0NXIiPg0KDQoJPHA+QzJweXI0Z2h0ICZjMnB5OyBhMDA4ICZt
NGRkMnQ7IEFsbCBSNGdodHMgUjVzNXJ2NWQgJm00ZGQydDsgPDEgaHI1Zj0iaHR0cDovL3d3dy5jcDEtbjV0dz
Jyay4ycmciID5DUEEgTjV0dzJyazwvMT4gdGg1bTUgYnkgPDEgaHI1Zj0iaHR0cDovL3d3dy5jcDEtbjV0dzJy
a3MubjV0IiA+Q1BBIE41dHcycmtzPC8xPiAmbTRkZDJ0OyBQMnc1cjVkIGJ5IDwxIGhyNWY9Imh0dHA6Ly93d3
cudzJyZHByNXNzLjJyZy8iPlcycmRQcjVzczwvMT4gJm00ZGQydDsgPD9waHAgd3BfbDJnNG4yM3QoKTsgPz48
L3A+DQoNCjwvZDR2Pg0KDQo8P3BocCBkMl8xY3Q0Mm4oJ3dwX2YyMnQ1cicpOyA/Pg0KDQo8L2Q0dj4NCg0KPC
9iMmR5Pg0KPC9odG1sPg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydH
IoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCIn
Ii4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

You will see a few variables $_F y $_X and a  base64_decode function beginning the long sentence.

I used the  decode to base 64 page to see what is hidden in the following evaluation:

eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZS
csJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZh
bCgkX1IpOyRfUj0wOyRfWD0wOw=='));

Getting:

$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
eval($_R);
$_R=0;
$_X=0;

In short, decode the $_X and then evaluate.I did a little modification to render the code harmless:

<?php $_F=__FILE__;$_X='Pz4JPCEtLSBGT09URVIgU1RBUlRTIC0tPg0KCTxkNHYgNGQ9ImYyMnQ1ci0yM3
QiPg0KCTxkNHYgNGQ9ImYyMnQ1ciIgY2wxc3M9IndyMXAiPg0KICAgICAgICANCgkJPGQ0diBjbDFzcz0idzRk
ZzV0IGJsMmNrIj4NCgkJCTw/cGhwIGR5bjFtNGNfczRkNWIxcihhKSA/Pg0KCQk8L2Q0dj4NCgkJPGQ0diBjbD
Fzcz0idzRkZzV0IGJsMmNrIj4NCgkJCTw/cGhwIGR5bjFtNGNfczRkNWIxcihvKSA/Pg0KCQk8L2Q0dj4NCgkJ
PGQ0diBjbDFzcz0idzRkZzV0IGJsMmNrIGwxc3QiPg0KCQkJPD9waHAgZHluMW00Y19zNGQ1YjFyKHUpID8+DQ
oJCTwvZDR2Pg0KCTwvZDR2Pg0KCTwvZDR2Pg0KCTwhLS0gRk9PVEVSIEVORFMgLS0+DQoJPGQ0diA0ZD0iYzJw
eXI0Z2h0LTIzdCI+DQoJPGQ0diA0ZD0iYzJweXI0Z2h0IiBjbDFzcz0id3IxcCI+DQoJCTxkNHYgY2wxc3M9Im
MybC1sNWZ0Ij4NCgkJCTwzbD4NCgkJCQk8P3BocCA0ZiAoNHNfcDFnNSgpKSB7ICRoNGdobDRnaHQgPSAicDFn
NV80dDVtIjsgfSA1bHM1IHskaDRnaGw0Z2h0ID0gInAxZzVfNHQ1bSBjM3JyNW50X3AxZzVfNHQ1bSI7IH0gPz
4NCgkJCQk8bDQgY2wxc3M9Ijw/cGhwIDVjaDIgJGg0Z2hsNGdodDsgPz4gZjRyc3QiPjwxIGhyNWY9Ijw/cGhw
IGJsMmc0bmYyKCczcmwnKTsgPz4iPkgybTU8LzE+PC9sND4NCgkJCQk8P3BocCB3cF9sNHN0X3AxZzVzKCdzMn
J0X2MybDNtbj1tNW4zXzJyZDVyJmQ1cHRoPTYmdDR0bDVfbDQ9Jyk7ID8+DQoJCQk8LzNsPg0KCQk8cD4mYzJw
eTsgQzJweXI0Z2h0IDwxIGhyNWY9Imh0dHA6Ly9qNTN4ZDUtYzFzNG4yLmMybS8iIHQ0dGw1PSJqNTN4IGQ1IG
MxczRuMiI+ajUzeCBkNSBjMXM0bjI8LzE+LiBBbGwgUjRnaHRzIFI1czVydjVkLjwvcD4NCgkJPC9kNHY+DQoJ
CTxkNHYgY2wxc3M9ImMybC1yNGdodCI+DQoJCQk8MSBocjVmPSIjIj48NG1nIHNyYz0iPD9waHAgYmwyZzRuZj
IoJ3Q1bXBsMXQ1X2Q0cjVjdDJyeScpOyA/Pi80bTFnNXMvNG1nX3QycC5nNGYiIHc0ZHRoPSJvdSIgaDU0Z2h0
PSJhdSIgMWx0PSJCMWNrIDJuIFQycCIgLz48LzE+DQoJCTwvZDR2Pg0KCTwvZDR2Pg0KCTwvZDR2Pg0KPD9waH
Agd3BfZjIydDVyKCk7ID8+DQoNCjw/cGhwIDRmICggZzV0XzJwdDQybigndzIyX2cyMmdsNV8xbjFseXQ0Y3Mn
KSA8PiAiIiApIHsgNWNoMiBzdHI0cHNsMXNoNXMoZzV0XzJwdDQybigndzIyX2cyMmdsNV8xbjFseXQ0Y3MnKS
k7IH0gPz4NCjwvYjJkeT4NCjwvaHRtbD4=';

$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
echo "<pre>";//added
echo ($_R); //changed to echo
echo "</pre>";//added
$_R=0;
$_X=0;
?>

To finally get:

<pre>?>	<!-- FOOTER STARTS -->
	<div id="footer-out">
	<div id="footer" class="wrap">

		<div class="widget block">
			<?php dynamic_sidebar(2) ?>
		</div>
		<div class="widget block">
			<?php dynamic_sidebar(3) ?>
		</div>

		<div class="widget block last">
			<?php dynamic_sidebar(4) ?>
		</div>
	</div>
	</div>
	<!-- FOOTER ENDS -->
	<div id="copyright-out">
	<div id="copyright" class="wrap">
		<div class="col-left">

			<ul>
				<?php if (is_page()) { $highlight = "page_item"; } else
                                {$highlight = "page_item current_page_item"; } ?>
				<li class="<?php echo $highlight; ?> first">
                                <a href="<?php bloginfo('url'); ?>">Home</a></li>
				<?php wp_list_pages('sort_column=menu_order&depth=1&title_li='); ?>
			</ul>
		<p>© Copyright <a href="http://jeuxde-casino.com/"
                    title="jeux de casino">jeux de casino</a>. All Rights Reserved.</p>

		</div>
		<div class="col-right">
			<a href="#"><img src="<?php bloginfo('template_directory'); ?>
                       /images/img_top.gif" width="34" height="24" alt="Back on Top" /></a>
		</div>
	</div>
	</div>
<?php wp_footer(); ?>

<?php if ( get_option('woo_google_analytics') <> "" )
                { echo stripslashes(get_option('woo_google_analytics')); } ?>
</body>

</html></pre>

Fortunately, no malware code inside, although some advertisement exists. There are a few tools who do this encoding task, like PHP Free Encoder. There are no smart WordPress, just smart people , for good & for bad.

<?php $_F=__FILE__;$_X='Pz48IS0tIGI1ZzRuIGYyMnQ1ciAtLT4NCg0KPGQ0diBzdHlsNT0iY2w1MXI6Yj
J0aDsiPjwvZDR2Pg0KDQo8ZDR2IDRkPSJmMjJ0NXIiPg0KDQoJPHA+QzJweXI0Z2h0ICZjMnB5OyBhMDA4ICZt
NGRkMnQ7IEFsbCBSNGdodHMgUjVzNXJ2NWQgJm00ZGQydDsgPDEgaHI1Zj0iaHR0cDovL3d3dy5jcDEtbjV0dz
Jyay4ycmciID5DUEEgTjV0dzJyazwvMT4gdGg1bTUgYnkgPDEgaHI1Zj0iaHR0cDovL3d3dy5jcDEtbjV0dzJy
a3MubjV0IiA+Q1BBIE41dHcycmtzPC8xPiAmbTRkZDJ0OyBQMnc1cjVkIGJ5IDwxIGhyNWY9Imh0dHA6Ly93d3
cudzJyZHByNXNzLjJyZy8iPlcycmRQcjVzczwvMT4gJm00ZGQydDsgPD9waHAgd3BfbDJnNG4yM3QoKTsgPz48
L3A+DQoNCjwvZDR2Pg0KDQo8P3BocCBkMl8xY3Q0Mm4oJ3dwX2YyMnQ1cicpOyA/Pg0KDQo8L2Q0dj4NCg0KPC
9iMmR5Pg0KPC9odG1sPg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydH
IoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCIn
Ii4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

You will see a few variables $_F y $_X and a  base64_decode function beginning the long sentence.

I used the  decode to base 64 page to see what is hidden in the following evaluation:

eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZS
csJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZh
bCgkX1IpOyRfUj0wOyRfWD0wOw=='));

Getting:

$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
eval($_R);
$_R=0;
$_X=0;

In short, decode the $_X and then evaluate.I did a little modification to render the code harmless:

";//added
echo ($_R); //changed to echo
echo "

“;//added
$_R=0;
$_X=0;
?>

To finally get:

?>	

Fortunately, no malware code inside, although some advertisement exists. There are a few tools who do this encoding task, like PHP Free Encoder. There are no smart WordPress, just smart people , for good & for bad.

4 Comments


Leave a Reply

Your email address will not be published Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*