We will explain about base64_decode and base64_encode, which are commonly found in WordPress malware, why this function often appears and how to recover this function.
Why are base64_decode and base64_encode often included in WordPress malware?
base64_encode is a method of mapping data such as strings to 64 different characters separated by a specific length. This makes it easier to handle various data as strings and record them in databases, and is used to prevent garbled or corrupted data.
base64_decode is a function to decode it back.
Data that would be misspelled if separated by a specific length is filled with == in base64_encode. Also, base64_decode and base64_encode are functions of PHP (the programming language in which WordPress is made), but in JAVASCRIPT (a scripting language that runs in a browser), the function names are btoa and atob, which are also often used for malicious code. It is also often used in malicious code.
This encoded base64 string has the characteristic of making the original content difficult to recognize at first glance. For this reason, they are often used to obfuscate malware in order to prevent the code from being recognized as doing what it is supposed to do, or to avoid malware detection (pattern matching).
Undo base64_encoded strings
To undo base64_encode and see the contents, online services such as https://www.base64decode.org/ are useful.
The following figure shows an image of a decoded string of malware base64_decoded.
You can see that this string contains a setting that alters the WordPress HTACCESS file, making it impossible to log in.
In the above example, the obfuscation could be removed with a single step of base64_decode, but some malware may use multiple base64_encodes, gzinflate (data compression), str_rot13 (string shifting), etc. in combination with the obfuscation process. (data compression) and str_rot13 (string shifting).
Example
str_rot13(base64_rncode(base64_encode(gzinflate(string to be hidden))))
Detect and remove base64-based obfuscated malware
base64 obfuscation patterns can be detected with a high degree of accuracy using our [Free] WordPress: Malware Scanning & Security Plug-in [Malware and Virus Detection and Removal].
Unlike PC viruses, WordPress malware has a huge number of patterns with extremely diverse obfuscation processes, and the WPDoctor WordPress: Malware Scanning & Security Plug-in is designed to match this characteristic, with short and large number of detection patterns to scan thousands of files quickly. This plugin has been designed to be able to scan thousands of files at high speed with a short and large number of detection patterns.
We hope you will find it useful.
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
