G DATA researcher analyzes a widespread backdoor
Creating your own website has long been associated with a lot of manual work. However, modern tools make creating websites essentially child’s play - there are countless ready-made designs in which you only have to insert your text and images. There are lots of free as well as paid extensions for Wordpress. Price-conscious webmasters naturally try to avoid such costs as much as possible.
Certain paid themes or templates are very popular. It is therefore not surprising that pirated copies of them can also be found on the web. Some of these pirated copies, however, come with some hidden "add-ons" that can get a web site operator into trouble and turn their own website into a malware spinner. The website operator usually remains unaware of all this.
Anyone who is serious about running a website wants to rank as high as possible in Google's search results. A search engine uses various evaluation criteria for its ranking, such as the frequency with which other pages link to the page. Many companies employ staff, whose sole task is to place the website as high as possible in the search results. This activity is called Search Engine Optimization (SEO). A particular version of a Wordpress theme uses SEO techniques to increase its own proliferation.
When installed on a Wordpress system, external content is loaded each time the website is visited. This external content is under the control of the attacker. Placing malicious contentis therefore entirely possible. Other versions of the backdoor even create a hidden administrator account which puts an attacker in to a position where he can access the system at any time and, for example, store malicious code directly on the compromised website.
If you want to take a closer look at the function of this Wordpress malware, you can download the detailed analysis by clicking the preview below and read the details there.