23,000 Websites at Risk of Backdoor CryptoPHP Threat

Just before everyone headed home for Thanksgiving break last week, researchers at the Netherlands-based digital forensics lab Fox IT posted a whitepaper which detailed the results of their investigation into a bug that could affect over 23,000 websites that use the WordPress, Joomla, and Drupal publication platforms to host their own content.

Called CryptoPHP (due to the RSA Public Key cryptography it uses to call back to its command and control servers), the backdoor works by exploiting less-than-reputable web administrators’ desires to pickup themes and plugins on the cheap.

By prowling many of the more popular underground networks which trade in pirated code, the hacker was able to sneak his way into sites that had installed layouts on their servers sourced from websites like freemiumscripts.com, mightywordpress.com, and anythingforwp.net.

While Fox was unable to provide a more accurate set of statistics which breaks down the exact allocation of websites that are vulnerable on a case by case basis, they have been able to use their detection tools to create a map, showing what countries were most impacted by the effort. It gives a rough estimation of where the virus’ creators might hail from based on the pattern shown by the C&C servers connected to the botnet as a whole.

Fox IT notes that since their original investigation into the matter on the November 20, they’ve seen a steady decline in source points that register on their detection systems.

“Since publishing we’ve been keeping an eye on any new developments within CryptoPHP. On the 23rd most of the websites used to spread the backdoored plug-ins and themes went offline, unfortunately they were back up with a new setup a day later and are still active at the time of this publication.

In total 23.693 unique IP addresses connected to the sinkholes. We are already seeing a decline in sinkhole connections, on the 22nd 20.305 connections were made, on the 23rd 18.994 and on the 24th it was already down to 16.786.”

With that in mind, they’ve also acknowledged that their public statement about the existence of CryptoPHP could be the culprit of the downward trend, as the hackers behind the campaign adapt their methods to evade any collective efforts to bring their network down.

According to the paper, the hackers have already pushed out an updated version of CryptoPHP through the same back doors that were established at the front of the attack, one that is more resilient to detection and automatically places heavier layers of encryption on the channels used to both spread and maintain the connections between each link in the chain.

Fox has provided a set of customized scripts on Github that website owners can run themselves to detect whether or not their themes have been compromised, as well as a tutorial on how to go about removing the threat if a malicious installation is detected.

Because the problem only applies to websites which stole their themes rather than paying for it honestly, it will only affect a small percentage of the overall blogging community at large.