A Scandinavian technology company, Fox IT, was one of the first discovers of a new threat to PHP based programs (such as WordPress, Drupal, Joomla, etc. ) The Fox IT CryptoPHP white paper is quite technical but we will summarize the issue for you here. It is about something termed ‘Nulled Scripts’ and given another label too, CryptoPHP. This is perhaps a new term to most of our customers. So what exactly are these so-called Nulled Scripts? Nulled scripts are scraps of PHP code, which can be found on free or otherwise non-approved WordPress plugin sites or even in WordPress theme archives; which have had their copy-protection removed. Various *pro* plugins and themes come with a serial number, or key, which enables paid features or provides access to download free upgrades. Nulled scripts have such protections removed (so that it is become ‘free’). There are many websites that are offering these nulled-scripts and also nulled WordPress plugins and theme installers. They shouldn’t be used because of the following problem: CryptoPHP explained The programmers who published the white paper have witnessed a drastic increase in the availability of nulled/corrupted scripts. read_more Of course it is not “new” news that alot of “free” WordPress plugins might have this kind of malware embedded in it; if it was not downloaded from a trusted source such as WordPress.org, WooThemes, WooThemes, Theme Forest, Drupal.org Joomla.org, etc. But this particular kind infection is more of a threat than previous malware because in it encrypts data before transmitting it back to its controlling servers; which of course can be located anywhere in the world. Identifying the infection is rather simple though: For example take this line of code: include('wpassets/images/someimage.png'); A web developer that could be reviewing the code should be suspicious of it because an 'image' is not supposed to be included this way into an PHP script. This “ include() “ function call is supposed to be used for importing PHP code. So this has turned out to be be a way of injecting malware PHP code contained in a fake image file. This devious technique isn’t readily detected by malware/virus scanners because most of the...
