Wordpress, Weeden, Bobby discussed on The CyberWire
To manipulate search engines and. And drive traffic to the services that they want. They need websites to be in good working order. And so part of that is to be able to upgrade WordPress or reinstall WordPress if it happens to not be working for some reason, I assume they would run this code to update or fix it at first Weeden. No. Ultimately with them our was doing when I started the analysis, I was looking at that code, I, that fixes WordPress or of updates reinstalled the and and he'll why would want to do that. But if intially we discovered, you know, the reason for its existence is to have search engines, crawl and index, these spam results. So the malware authors need the website to be in good working order. Otherwise, the search engine, the spam won't get indexed or maybe the search engine will big nor the site because it's broken or or something like that. So part of the effort to make sure the. It works is to be able to fix WordPress or updated. And then the other part of that was to search for existing malware and deleted. Yeah, take us through that. I mean, is you think it's looking for competition or is it part of that effort to keep things up and running without drawing any attention to the site? I think it's both at first. I saw that code and I figured that the author of Bobby is the same author of all of this other malware that it's checking or you know, maybe they had older stuff they were wanting to remove. But as you know, again, as the purpose of the malware became clear, I realized that what it's probably doing removing competition, not necessarily because the author has anything against these other malware authors. But again, just to make sure the sites doesn't do anything that will prevent it from being indexed by search engines. So it looks like our scanner. It looks like you know, some of these WordPress security plug. You know a little bit like word pensive in that it has these signatures that belong to common other our and if it finds them than it can run this code that deletes that malware out of a file and restore the file to its original uninfected state. There's also some code that looks for simple defacements which is where you know someone has broken into a side and just, you know, rewrite the index file with Hecht by whoever. So it looks for any of those and it just deletes those. And then if possible, it'll restore whatever files overwritten by the defacement. So it's going for a few different things there. And like you said, it's both, you know, removing competition, but also trying to avoid notice because really what they want to do is make sure nobody really notices the websites are getting hacked and nobody the search engines. Don't notice that. Anything strange is going on. They'll just go ahead and index those spam pages and drive the traffic that the hackers want. Then everybody wins, I guess, well, events, an interesting way to frame it too, because if I'm running a WordPress site that gets infected with Bob yoga, am I likely to know? Are there going to be any performance issues? How will I know that there's a problem will even know there's a problem. I don't think that there would be a way for you to notice unless you're either running a security product like word Vance, or maybe if you're really actively monitoring your performance in search results than you might notice some of these spam pages starting to show up in the search results for your site. But otherwise, if you're not taking some kind of active measure to really watch for changes to your code or changes to the pages that your site is generating or the search results for your site. Than I, I don't think that you'd probably ever notice. It's interesting in your research, you used the phrase that it's a symbiotic relationship. And I think that's interesting because I can see if we just sort of put aside the fact that malware is bad if I'm running my site and someone is doing updates for me and backups for me and making sure that my sight is an infected with other malware, the performance of my site hasn't been affected, and I don't even notice that anything's going on here. It's a funny thing to think about, isn't it like, do we actually have a problem? It is a, it's very unusual question that I don't think I've seen come up in any of the other malware that I've researched there is a problem, obviously because it is someone else using websites that belong to other people, and that's not okay, that's never okay. And obviously if something came up that was even less ethical, I'm. I'm sure that they would switch to that. You know, there was some kind of way to use these sites to attack something and make more money that way. I imagine they wouldn't have any qualms about switching to that instead. Right. So let's not fool ourselves into thinking that they're doing this for anyone's benefit but their own. Right, right. And the other thing is that the way that they are manipulating search engine ranking is also going to harm other organizations that would be competing that aren't doing this kind of shady work. So if you have some honest essay writing service and you're just writing genuine content, try and promote yourself or whatever. Then I think that the spam code that we saw when we were analyzing it would probably just roll right over you and then the hackers win at your expense. Right, right. So what are your recommendations for people to protect themselves against this will my first recommendation for anyone using red press sites. Obviously. Has to use a security plug in. I have to recommend word fence. I think it's the best out there. Completely unbiased, right. Scores, scientifically as security professionals, we always talk a lot about defense and depth. So there has to be a broader awareness of security as part of the entire way that you run a website. So you know, running word fence or or whatever security product is part of sherve Arizona. Also, you have to make sure that you use secure password practices. You can't use a week, paps word on ABC's, or it will eventually guest in the hackers will guess it and will break him. You can't use the same password for your website as you used for any other camped. You just can't do that anymore. Maybe a decade ago that would have been okay or something, but say JR. Massive data breaches and password eeks you just can't do that. So you know, using a password manager is something that I also really wholeheartedly recommend if you don't do that ready now is the time to start. And that includes the password that used in doing nistration on your website. And other really important thing obviously, is to keep your website up to date men that clues WordPress every plug in or theme. Just make that part of the life. Your website is it's just consistently checking updates and applying them as soon as possible. Because part of the benefit of that is you may notice problems sooner you know, has compromised or something that that can help. Then the other is of course protecting in the first place from outdated, maybe all noble plug it. I have it encamped, Pachas vulnerabilities and help protect your site.