[修正済み] WordPress で WP-VCD マルウェアを削除する方法

wp-vcd.php ファイルにちなんで名付けられた WP-VCD マルウェアは、WordPress スペースに大混乱を引き起こしています。マイクロソフトのセキュリティ脅威インテリジェンス チームが 1 年以上前に最初に検出して以来、このマルウェアは進化し、より巧妙になっています。この悪名高いマルウェアの進化と、Web サイトの wp-vcd マルウェア感染を修正および防止する方法に関する私たちの調査を以下に示します。

WP-VCD マルウェアの症状:

<オール>

WordPress に追加された新しい管理者ユーザー: ハッカーが管理者権限を持つユーザーとして WordPress に自分自身を追加するのを見てきました。

高いリソース消費: WP-VCD マルウェアは、サーバー リソースを消費することが知られています。また、ホスティング会社が「リソースの使用率が高い」ことを理由としてアカウントを一時停止しているのも見てきました.

ウェブサイトの読み込み時間が遅くなりました: 多くの場合、このマルウェアに感染した Web サイトの読み込み時間は悪影響を受けます。場合によっては、読み込みに通常 2 ～ 3 秒かかる Web サイトが、読み込みに 30 秒以上かかることがあります。

不明な JavaScript コード: functions.php、index.php などの一部の重要な WP ファイル、またはほぼすべてのコア WP ファイルに、未知の JavaScript コードが追加されていることが確認されています。 2 番目の問題は通常、修正が困難であり、Web サイトが悪意のあるドメインにリダイレクトされることもよくあります。

コア フォルダ内の悪意のある PHP コード: 「WP-VCD」コードは、WordPress 内のさまざまな場所に追加されます。これがマルウェアの名前の由来です。その名前から、このファイルは WordPress の一部であると推測されるかもしれませんが、コード分析ではマルウェアであることが判明しました。

これは、wp-includes ディレクトリ内にうまく隠されている WP-VCD マルウェアの例で、Astra Security のマルウェア スキャナーによってフラグが付けられています。

WP-VCD ウイルス感染の主な原因:

感染したら、感染を除去し、WordPress が完全に安全であることを確認することが不可欠です。同時に、そもそも何が感染源だったのかを知ることも同様に重要です。特定されたいくつかのエントリ ポイントは次のとおりです。

• 海賊版および無効化されたテーマ: WP-VCD マルウェアには、有料テーマ/プラグインの海賊版がプリインストールされています。これらの無効化された (海賊版の) テーマとプラグインには、インストール時に展開される悪意のあるスクリプトが含まれています。
  
  After setting its foot on your website through a nulled theme, it goes on to infect every other theme on your site. In the case of a shared server, this malware then propagates to infect each unprotected site hosted on that server. That’s why we often see this malware infects all the websites on the same server when they aren’t containerized.
  
  
• Un-updated plugins &themes: This is one of the top causes of almost all WordPress infections. However, updating all the themes/plugins after the infection has happened doesn’t mean the infection would go away. Cleaning the infection is still required and so is ensuring proactive security, more on it below.
  
  
• No proactive security on the website: Truth be told, hackers have evolved their techniques over the years. They gain thousands of dollars from such hacks, which means that they can spend hundreds of dollars automating these hacks to infect thousands/millions of websites at once.
  
  To protect against such evolved WordPress hack techniques, a small investment in a security tool goes a long long way. Saves you headaches at times like these and prevention of SEO/marketing/sales loss from the downtime is another added benefit.

How exactly does the WP-VCD malware work?

[some technical (yet super important) jargon ahead]

It’s really important to understand what exactly does WP-vcd does and how it’s able to slow your website eating up all your precious server resources.

When malicious code is inserted in your website, it usually sits in core files like functions.php/index.php. Now, this malicious code makes a call to files within your website. When your website is opened from the browser, it tries to reach the files to which malware is making the call. And these files may or may not exist on your website causing the functions.php to get executed again. Essentially bringing the website loading process to a big loop. This, in the security language, is called a ‘forkbomb’.

Step 1:Deploys malicious scripts

In the functions.php file within your theme, you would see some code similar to this:

<?php if (file_exists(dirname(__FILE__) . '/<b>class.theme-modules.php</b>')) <b>include_once</b>(dirname(__FILE__) . '/<b>class.theme-modules.php</b>'); ?>

This code checks if there are deployer scripts available and subsequently executes them. As you can see in the code above, the file that’s been called is the class.theme-modules.php file. Now, depending on where the infection emanates from (i.e. theme or plugin), the malicious script will be in file class.theme-modules.php or class.plugin-modules.php respectively.

Step 2:Creates backdoor

<?php
 
//install_code1
error_reporting(0);
ini_set('display_errors', 0);
DEFINE('MAX_LEVEL', 2); 
DEFINE('MAX_ITERATION', 50); 
DEFINE('P', $_SERVER['DOCUMENT_ROOT']);

$GLOBALS['<b>WP_CD_CODE</b>'] = 'PD9waHANCmVycm9y...(base64-encoded string of PHP code)
...

This code creates a new admin user with a name similar to 100010010 . The objective of this backdoor admin account is to make sure that the hacker is able to access the website even if you delete the malicious code basically, so that the attackers could attack your website at a later point in time.

Step 3:Gets instructions from hackers

Sometimes hackers inject URLs of their C2 servers. These URLs are later called to deploy action across the infected sites in one go. Domains such as www.krilns[.]com/code.php ​, ​krilns[.]pw ​, ​krilns[.]top , etc have been found executing this in many WP-VCD infected sites.

Step 4:Infects other files and sites

The next thing that the WP-VCD malware does is to expand itself. It deploys the malicious script in every theme and plugin on your site. Next, it goes on to find vulnerable sites on the same server and infects them too.

This propagation starts with the deployment of a script located at wp-includes/wp-vcd.php​ . It’s followed by modifications in the core wp-includes/post.php​ which at last execute the code in ​wp-vcd.php​ on every page.

How to fix &remove the WP-VCD WordPress malware?

<オール>

Finding &removing malicious code: There are a few places where probability of finding the malicious code is high. Though, hackers often try to improve their ways to hide the malware more creatively still these files/folders on your server are worth starting the hunt from:

• wp-includes/wp-vcd.php
• wp-includes/wp-tmp.php
• wp-content/themes/*/functions.php (all themes installed on the server whether active or not)
• class.wp.php

• code1.php
• class.theme-modules.php (inside the theme folder)
  
  

Searching malicious string patterns :Searching for string patterns that are found in infected malware files helps you in narrowing down the search. A few of them mentioned below:

• tmpcontentx
• function wp_temp_setupx
• wp-tmp.php
• derna.top/code.php
• stripos($tmpcontent, $wp_auth_key)
  
  

Analyze functions.php: This file is one of the top infected files by hackers. Reviewing the code in functions.php can reveal the controlling code of wp-vcd malware.

Run a diff check to ensure code authenticity: Run a diff check of the file contents on your server with corresponding files in the WordPress core GitHub repository or theme/plugin directory. You can use either of the approaches (or both) using SSH or using your IDE.


(File difference checking, screenshot from Astra’s malware scanner showing malware added at the top of index.php file)

Run a malware scan: In such malware infection situations, a malware scanner can save you hours of hunting for malware (which still doesn’t guarantee success). Malware scanner not only scans each and every file of the server but ensures every difference in core files of your WordPress is pointed out.

The WP VCD malware gets a foothold in your site by leveraging loopholes in outdated plugins and themes. In most WP-VCD cases, the web owners infect themselves by installing a free/nulled plugin &themes from unauthorized sources, while in others it occurs as a result of contamination by infected sites.

Related Guide – Comprehensive Guide on WordPress
Tip:Scan WordPress for malicious cod e

One of the biggest lessons to be learnt from such hacks is to ensure your website is secure going forward. Not ending up in a hack situation like this is totally possible using Astra Security Suite that powers security of thousands of websites around the globe, stopping millions of attack and malware every day!