Analysis of malware found on Wrongplanet.net

Post Reply New Topic

An analysis of malware infecting Wrongplanet.net

The malware that was found is a Wordpress malicious plugin
that would have been installed after the site was hacked.

Once the plugin has been installed it hides itself
from the list of active plugins and opens a back door
into WordPress creating admin user accounts.

The plugin then injects packed and obfuscated code
into the core Wordpress files and a second script into the web pages.
This second script sets up an onclick event handler
that waits for a users click anywhere on the infected page.
When this happens a pop-up opens, creating a chain of
redirects.
Once this is complete a cookie is dropped
onto the users pc and is set for one hour.
The code then removes the onclick event handler.

All the front facing pages are infected with the second
injected malicious script. This includes

http://wrongplanet.net

and all the pages behind the buttons on the banner at the top of
the webpages:

http://wrongplanet.net/videos/
http://wrongplanet.net/category/friends-relationships/
http://wrongplanet.net/category/community-newsmakers/
http://wrongplanet.net/category/school-jobs/
http://wrongplanet.net/category/parenting/
http://wrongplanet.net/category/autism-news/
http://wrongplanet.net/category/therapies/

All the forum pages i've looked at are clean.

Logging in on the front page will cause the script
to execute, but logging in at:

https://wrongplanet.net/forums/
or
https://wrongplanet.net/forums/search.p ... d=newposts

will not as they are within the forums section and are unaffected.

The malware code is packed, hex encoded then jjencrypted.
I've posted the code in it's various stages here for
educational purposes.

http://pagebin.com/xSJLsZNP

Here are some resources to help the site Admin with
removal:

https://blog.sucuri.net/2018/02/unwante ... ugins.html

https://blog.cyberbyte.org/blog/wordpre ... op-unders/

https://fixmywp.com/blog/detect-clean-w ... direct.php

https://wordpress.org/support/topic/inj ... njectbody/

https://www.scmagazine.com/pair-of-word ... le/744142/

Finally after looking at the code it can be seen that the
code won't set up the onclick event handler if it finds
a new clickund_expert cookie.
This means a tampermonkey script can create the cookie
before the malware runs.
For educational purposes I created one today and it
has proved to be successful in stopping the pop-ups on the
infected parts of the site.

Thanks Soliloquist, it's good of you to invest so much effort on this on our behalf; much appreciated.

I understand now why I haven't been seeing these problems; completely unintentionally, my WP bookmark enters the site via the forums page, as you have noted above.

It's just a shame that the deafening silence from the admins makes it necessary for forum users to do the detective work!

Awesome

Thanks I'm sure many of our users will appreciate it. On a side note, and for your own personal growth as a JS programmer going forward I offer you this one critique: get used to using const (for variables that won't be reassigned) and let for those that will, as opposed to using var, which can overwrite global variables. Obviously the statement is in an IIFE so it doesn't matter, it's just a good habit to get used to with modern JS.

thanks.

The code was a direct copy and paste from the malware.
The global nature of the variable wasn't going to cause any problems
within this simple script.

Nonetheless your advice is all good.

I am moderator, Alex is the only admin. Mods have not been silent on this issue. I have posted threads in both the WP forum and the GAD forum, and continue to warn members (I will post this thread as a link in the General forum thread). I will also post a link to this thread in a thread that Alex has posted in, so that he gets a notification of it directly (hopefully) as my attempts to alert him by other methods haven't received a response as yet.

Thank you from me also Soliloquist - and others who have provided feedback in all of the threads so far.

Thanks for all your efforts, Soliloquist.

Thank-you Soliloquist. I had wondered why people were talking about pop-ups and now I know. I'm like Trogluddite and use a forum bookmark. Hopefully something will now be done to remove the malware. If Alex doesn't want to, perhaps he could find someone who does. I know this is his site and the revenue isn't likely to be much so it may feel onerous to maintain it.

How long has the site been infected for?

My bookmarks are set to "view your posts", so I haven't noticed much, and I usually have NoScript running as well.

It’s not nice to put his users at risk though.



Thanks Soliloquist, will bear those links in mind.

My sincere apologies for the ambiguous comment. It was not my intent to criticize the moderators at all, only those who have the power to actually fix this problem. All of the moderators here do a very good job IMHO (thankyou all! ), and I can see that you have all done your very best to help members to work around these issues and are as frustrated with them as any of us.

Same, i only visit the main site like once a year... mostly by mistake.

Thanks for the clarification.

Thanks for your work Soliloquist, the malware stopped me from being able to access the site for some time.

Is there a way I can have FireFox or AdBlocker block that site from loading because I'm used to accessing the forums from my watched posts which is fine with this cr@p but when I don't do that, I access it from going to the main site & I sometimes forget that I cant do it anymore & it's a pain in the a$$ to close that page without having to force stop FF which screws up the other tabs I have open.