Skip to content

Anatomy of a Theme Malware » Otto on WordPress

Link To Full Story: ottopress.com

Shared by JohnH
Go Otto!

As I’ve gotten involved with helping the WordPress.org theme review team, I’ve seen some strange things. One of the stranger ones was a theme virus that actually propagated from one theme to all others in a WordPress installation. That one was awfully clever, but it ultimately didn’t really do anything but propagate and generally be a pain in the ass.

However, today, @chip_bennett discovered that one of his themes had been copied and was being redistributed by a site called top-themes.com.

It had malware inserted into it that is of a much more malicious and spammy nature. Further investigation reveals that ALL of the themes on that site contain basically the same code. This code is not actually “viral”, but it’s definitely malware and it’s worth investigating to see some of the ways people try to hide their spam.

So today, I’m going to dissect it and serve it up on a platter for everybody to see.

Infection Point

We’ll start with the most obvious starting point, and that is in the functions.php file. At the very end of the functions.php file, we find a call to “get_custom_headers();”. An innocuous enough sounding name, so we go find that function. Here’s the first part of the function:

1function get_custom_headers() {
2    $_SESSION['authenticated'] = false;
3    $filename = dirname(__FILE__).DS."screenshot.png";
This was written by (author unknown). Posted on Saturday, December 11, 2010, at 2:12 pm. Filed under Feeder. Bookmark the permalink. Follow comments here with the RSS feed. Trackbacks are closed, but you can post a comment.

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*