Dutch IT company Fox IT have released a white paper outlining an increase in a security threat they have dubbed CryptoPHP.

The Fox IT CryptoPHP white paper is very technical and covers attack vector points for WordPress, Joomla and Drupal.

Let me summarise their findings.

It concerns something called “Nulled Scripts”.  Some of you may not have come across this terminology before.

What Are Nulled Scripts

Nulled scripts are bits of code, such a WordPress plugin or WordPress theme, which have their copy protection removed.

Many non-GPL “pro” plugins and themes come with a serial key which gives access to the paid features or entitles you to free upgrades.

Nulled scripts have these protections removed so that it will work for free.  It is outright theft of course or put another way pirated software.

There are many sites offering nulled (PHP) scripts as well as nulled WordPress plugins and themes.

Please do not use them.  Here’s why.

CryptoPHP Infection

The guys at Fox IT have found an alarming increase in deliberately infected  nulled scripts.

It’s not new that many “free” WordPress plugins and scripts can contain malware if not downloaded from a verified source such as WordPress.org, Theme Forest, WooThemes or the like.

This particular infection is more devious that previous malware in that it encrypts data before sending it back to it’s command and control servers.

For a seasoned PHP developer, spotting the infection is rather easy.

include('assets/images/social.png');

Any developer will look at that and immediately be suspicious – why is an image being included in the PHP script?  That’s way not right!

The include() function is used for loading external PHP scripts.  Bingo!

You’ve guessed that social.png isn’t really an image and you’re right. It’s some PHP code disguised as an image file.

This nasty little script can even avoid detection as many malware scanning programmes (and plugins) don’t check image files.

We use WordFence as our go-to security plugin for all WordPress sites.  The newest version of the plugin automatically checks all include() statements for suspicious files and there is also an option to scan image files like they are PHP code.

What Does The Malware Script Do?

Fox IT determined that the malware script injects dodgy, spam and malicious website links into your site’s content.  An attempt as black-hat SEO.

Remember that this security issue doesn’t just affect WordPress.  It also affects Joomla, Drupal and possibly other CMSs which use add-on modules to extend functionality.

The white paper shows how to identify the script so you can check all your WordPress installations today.

We urge that you do check all your sites for this now.  Never download “free” themes or plugins from unknown/community unverified sites and lastly share this amongst your friends and colleagues to make the web a more secure place.

If you want to super secure your WordPress website have a read of our WordPress Security Best Practices post.