Malware that reads files that do not originally exist and writes them to various folders with “$wp_update_file=” in WordPress is detected very often these days.

Process Flow of Malware

The process flow of this malware is very simple.

1 The file indicated by $wp_update_file= (this file does not exist in WordPress and is the body of the malware ) is read. The malware that is written to those files containing $wp_update_file= is a sub-malware for re-infection.

2 The read obfuscated file is de-obfuscated by base64_decode, and multiple malware codes are stored in an array by JSON decode.

3 Based on the data stored in the array, it alters and writes copies of itself in various parts of the files contained in WordPress. The malware itself may also be restored.

Which files are infected by this malware?

There is a wide range of files that this malware code can infect.
We have investigated the following files,
wp-config.php
wp-includes/vars.php
wp-includes/widgets.php
and other files that are executed each time a WordPress page is displayed.

This means that if even one piece of this code remains somewhere, when the page is displayed, the incorrect code will be re-written into the various WordPress files all at once.

How to get rid of malware

Since this malware is written to many WordPress files, it is very difficult to remove it by visually inspecting each file. It would be very difficult to remove them one by one.

If we first remove one of the malware files (located in the path indicated by $wp_update_file=), no matter how many times this malware is executed, the malware itself will not exist, making it non-toxic.

After that, removing the sub-malware for reinfection one by one, which contains $wp_update_file= (as shown in the above figure), is the most efficient and safe way.

This type of malware can be detected by
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal]
which can detect this type of malware.

Once you have eliminated the malware itself and sub-malware, you should also take basic security measures, such as plugging the zygosity that allowed hackers to alter the files on your server.

Related Posts:

  1. Why does WordPress malware parasitize legitimate files?
    Unlike common computer viruses, malware that infects WordPress often rewrites the legitimate WordPress core files to become a parasite. We will explain the reasons for this and how to deal with it....
  2. WordPress malware Random one-byte alphanumeric folders with large numbers of HTML files hosted illegally
    This article describes this type of tampering, as there have been an increasing number of cases in which WordPress has been hacked and a large number of malicious files have been hosted in random one-byte alphanumeric folders without permission....
  3. 5 characteristics of malware files that infect WordPress
    Here are some characteristics of malware files that can infect WordPress. If such a file is found on the server, it is most likely malware....
  4. 10 files in which malformed JAVASCRIPT code is embedded when WordPress is tampered with.
    This section describes a file in which redirect hack code is often embedded, which causes a WordPress-created site to jump to another site when accessed (redirect)....
  5. If you can’t find wordpress malware, where is the malware hidden?
    We will explain how hackers hide malware when WordPress has been defaced and no malware is found....
  6. How to find hidden malware (tampering) in WordPress
    If WordPress redirects you to a different site or disables some features of the administration panel, you may have been infected with malware. In this case, if the malware has been removed and the site keeps re-infecting itself, it is possible that a backdoor, or malicious program, remains somewhere on the site....