We will provide an explanation of the malware that disguises itself as an ico file, which has recently been on a rampage, and introduce countermeasures.


Malware disguised as ico files infecting WordPress

If you are experiencing symptoms such as WordPress redirecting to other sites without your permission, mysterious strings being displayed in the header or footer of your site, or JS files that you do not remember incorporating being loaded, please be careful.
If you find the following code in your WordPress file, you are infected with a type of malware that disguises itself as an ico file.

@include "7usr/\150ome/random strings.ico";.

This short write-up, by the hacker, is an instruction to load other malware with the .ico extension in a specific directory, albeit obfuscated.
It is generally found in files such as the following.

● wp-config.php
index.php in any folder
header.php, footer.php, single.php, page.php in the theme folder

Reference article
Learn how hackers rewrite (alter) files on your WordPress site to increase security!

Ico file, the main body of malware

Ico files are essentially image files, but since many malware detection plug-ins exclude them from detection, hackers disguise them as Ico files to hide the PHP program code so that the files are not detected.

The loading process by @include executes the contents of the Ico file as a program to perform the unauthorized activity the hacker wants to perform on the site.

The contents of an Ico file generally look something like the following and are further obfuscated so that it is not obvious what the hacker is doing at first glance.

$_gow5jau = basename/*cab6*/(/*a7jhy*/trim/*fs4*/(/*1x*/preg_replace/*s2ot*/(/*9z*/rawurldecode/*7a*/(/*n*/"/\(.*$/"/*i*/)/*fi40*/, '', __FILE__/*pz2or*/)/*5*//*sq*/)/*sdxc*//*tz*/)/*rkadc*/ 
~ followed by a string

The activities of these programs vary widely, but they are often unauthorized redirects, such as redirecting users to a site or replacing links on the site so that they go to another site.

Detection and Elimination of Malware Disguised as Ico Files

With WordPress Doctor Malware Scanner & Security, we can detect both the tampering that is loading malware in @include and the body of malicious code disguised as an Ico file.

What to do if the @include statement is detected

Since this write is for hackers to read the body of the malware

Delete the @include ~ ;

(a line starting with @ and ending with 😉 with a text editor, etc. and save it again.

What to do if the malware body with Ico extension is detected

This file does not exist in WordPress. If you open the file and find that it contains obfuscated code, you can delete it as is.