Dangerous CryptoPHP Back Door Threatens WordPress, Drupal Users

Criminals running a blackhat SEO operation are threatening website owners that use WordPress, Drupal and Joomla with a hidden back-door Trojan that ties into the underlying web server in support of their campaigns.

The attackers are tricking website administrators into installing their malware-laden, pirated themes and other plug-ins for free. Once the malware, called CryptoPHP, is dropped on the server, they can establish control of the server, according to Fox-IT, a professional security services firm based in the Netherlands.

About 23,000 websites have been impacted by CryptoPHP, and many of them are hosted in the United States, according to statistics released Wednesday by Fox-IT. The firm's security researchers said the websites actually affected are likely more because the infected web servers are said to be hosting multiple websites.

[Related: 5 Dangerous Web Application Flaws Coveted By Attackers]

Security industry researchers have been monitoring malicious domains spreading CryptoPHP and getting them taken down, but the authors behind the threat rebound quickly and recently pushed out a new variant to continue to widen their botnet of infected servers, Fox-IT said.

The name CryptoPHP originates from its use of public key encryption to shield data from security analysts, making it difficult to determine statistics about the infected platforms. Fox-IT published two Python scripts to detect CryptoPHP on servers and provided instructions on how to remove the malware. Ultimately, the company recommends that administrators conduct a complete reinstall of their content management systems.

’We do, however, recommend performing a complete reinstall of your CMS since the system integrity may have been compromised. An attacker may have gained systemwide access, for example,’ the company said in its analysis of CryptoPHP.

FoxIT and other solution providers said that website content management systems and their components are a frequent target of attackers who prey on administrators who fail to apply security updates. The platforms and the highly used plug-ins are updated often to patch software-coding errors and other weaknesses. Brute force attacks against administrator logins are also frequently conducted and the company advises all administrators to ensure that strong passwords are used and rotated.

Drupal issued critical security updates in October and November, repairing a critical SQL injection vulnerability, and errors that can be used in session hijacking and denial-of-service attacks. Joomla issued a security update in September, addressing an error that could be used to conduct a denial-of-service attack, causing a web server to respond slowly or crash.

The developers behind WordPress issued version 4.0.1 on Nov. 20, addressing several critical cross-site scripting (XSS) vulnerabilities, and an error that can be used to conduct cross-site request forgery, enabling an attacker to issue malicious commands to web applications.

Klikki Oy, a professional security services provider in Finland that discovered the XSS flaws, said 86 percent of all WordPress sites are affected by the vulnerabilities. The company said a successful breach gives an attacker the ability to take complete control of the web server, create a new administrator account and change the administrator password.

Vulnerable open-source and third-party components contribute, on average, up to 24 vulnerabilities into a web application, according to statistics maintained by Burlington, Mass.-based software security vendor Veracode. The company said about 80 percent of all retail breaches targeting web applications exploit a SQL injection vulnerability.

PUBLISHED NOV. 26, 2014