WordPress Malware: WP-VCD

Using nulled WordPress themes and plugins is bad. Why? Because sometimes (well, most of the time) nulled plugins or themes contain malicious code that looks something like this:

That’s wp-vcd.php. When a WordPress website is infected with this piece of malware, the infected file resides in the “wp-includes” directory and every time a page on a WordPress website is accessed overwrites the functions.php file with malicious code that looks like this:

Removing the code doesn’t do any good – as soon as any file gets accessed (the malware overwrites the contents of the functions.php file which can be used to add certain features and functionality to a WordPress website), the code comes back because the main file – wp-vcd.php – is not being removed.

Here’s a couple interesting facts about this piece of malware:

• The wp-vcd malware often comes pre-installed in nulled themes;
• Websites affected by this malware can have new WordPress administrator users created with their names similar to “100010010”;
• When a script affected by this malware is accessed directly, its code is instantly terminated with the message “ERROR_WP_ACTION WP_V_CD WP_CD”;
• The wp-vcd.php file starts with a variable called “install_code”, which is a base-64 encoded string;
• The base64-encoded string contains pieces of code that creates a wp-tmp.php file;
• wp-vcd.php file injects code into functions.php and alters the modification date and time;
• Once a website is affected by this piece of malware, it might redirect to shady websites;
• This malware might propagate to all of WordPress themes (inactive themes included) and infect all of WordPress installations on the same server forcing a hosting provider to suspend an account in order to prevent the spread of the malware.

Files that are usually affected with this malware are:

• wp-includes/wp-vcd.php (created by the malware);
• wp-includes/wp-tmp.php (created by the malware);
• wp-content/themes/*(any theme)/functions.php (if the wp-vcd.php file is not removed, malicious code is appended to functions.php and reappears upon removal);
• wp-includes/class.theme-modules.php (created by the malware and when affected by it, functions.php is overwritten by this code. This file installs the wp-vcd malware into the theme);
• wp-includes/class.wp.php (created by the malware, the file tries to insert a WordPress user with the ID and name of “100010010” with the password hash “\$P\$BaRp7gFRTND5AwwJwpQY8EyN3otDiL.” into the database. Since WordPress has a class-wp.php file by default, the class.wp.php file might not be always noticed when removing malware manually).

The malware scans the themes directory and modifies all functions.php files found within themes. WP-VCD then also makes use of the touch() function in PHP which sets the access and modification time of a specified file:

One interesting fact about this malware (and the above code block in particular) is that the functions.php file will only be infected if its code does not contain “WP_V_CD”. In other words, if the content of a functions.php file contains the string “WP_V_CD”, the above code block will not run (24th code line, the malware checks if the content of functions.php does not contain “WP_V_CD”) and functions.php will not be infected – the string would then act like a killswitch.

Deleting the malware

Recovering a website from a malware infection is not easy. A developer cannot just delete the contents of one file and call it a day. Instead, it is very important to locate all areas which could have been affected by malware and searching for backdoors in every file in that directory – checking the integrity of files can prove useful too. A developer also needs to understand why did a website get infected with malware in the first place: most likely that happened due to the fact that the developer installed a nulled theme or a nulled plugin on the website – often, nulled plugins or themes come with backdoors. Take a look at the following example:

The above code block not only describes a WordPress plugin – it also includes a potentially malicious file if it does not already exist. When included, the file could do all sorts of things – including spreading malware. In order to prevent such code from jeopardizing the security of your web application, double check the source code of your plugins for malicious code and make sure all plugins you are using come from an official source.

Wrap-up

Malware like WP-VCD is one of the prime examples why developers should never use nulled themes or plugins – although providing nulled content is pretty typical for websites that offer to download “premium software for free”, using nulled plugins or themes comes with a price and often, the price is your website getting infected.