PHParasites: WordPress Malware

I included honey pot functions to mimic registering users, and functions to mimic uploading new posts. This led to registered user IDs leaving obvious spam posts. Spam posts got made by registered users only, no exploits were exercised to do spamming.

The HTTP POST made to register a user seems like an all-encompassing form, comprising 71 name/value pairs. Some of the name/value pairs are just duplicates: the POST contains identical values for names zip_code, zipcode, zip and postalzip_code. The elaborate POST data also contains identical values for names cimy_uef_wp_PASSWORD, cimy_uef_wp_PASSWORD2, pass1, pass2, pswd1, pswd2, user_pw1, user_pw2, user_pwd1, user_pwd2, password, confirm_password, user_password and user_confirm_password. This POST data targets more than one registration form. I don't know enough about WordPress and its history to say if this duplicated entry form targets different versions of WordPress over the years, or it targets different CMS and blogging systems.

I accidentally deleted registration data for user ID rickyallison5579.

The email address "JackOrtal@bowlby.htsail.pl" registers lots of users on lots of blogs, as you can see by googling for that address.

Someone used IP addresses 83.23.140.18, 79.186.131.128, 31.6.71.150 to register all of the WordPress users. All of these IP addresses belong to Polish ISPs. All 478 spam posts came from 31.6.71.150, between 2013-06-10T01:13:49-06 and 2013-08-24T00:23:53-06

It certainly looks like the Polish Article Spammers set up their next user ID before having the previous ID post its final spam. I can't explain why "felipewaters3778" only made a single spam new post.

The articles get posted in one gigantic call to /wp-admin/post.php. That indicates that the posting is automated. Ordinary "new post" editing happens using TinyMCE, an open source in-browser WYSIWYG HTML editor. TinyMCE makes lots of calls back to the WordPress server via an AJAX mechanism. None of those AJAX calls occurred. Further, the HTTP POST to /wp-admin/post.php contains a lot of nearly identical name/value pairs. The HTTP POST contains names post_title, title and aiosp_title, all with the same value. It also contains names post_tag, newtags and aiosp_keywords also all sharing a lexically identical value. Just like the HTTP POST that registers new users, this POST seems designed to fill in many new-post forms.

The spam articles are all in English. The English in the spam is just slightly off, as if automatically translated from another language, or perhaps written by an intelligent, yet non-native English speaker.

The HTML uses entities for some letters, in what's known as a homoglyph attack. The entities are mostly English letters, but occasionally, a Cyrillic entity substitutes for a morphologically similar English letter (і → і). This is similar to one variety of PHP obfuscation, except that the goal appears to be visual, not lexical, equality. I have to wonder what the point of this obfuscation is. It would seem to be an attempt to eliminate the ability to grep for certain words, but the entities get used in non-specific words like "this".

The text format of all spams is the same: one paragraph per very long line, CR-LF end-of-line marks (MS-DOS "text" format). Roughly 27-28 paragraphs (one per line) per spam.

The pages linked-to in the spam have no relevance to the content of the spam. Most of the links seem to refer to payday loan web sites, but a huge variety of other websites get linked to. It's really hard to say if this is some misguided "SEO" attempts, or if the links lead to malware. I didn't follow any of them.

Sections

Author

Supporting Data