Researchers at Georgia Institute of Technology have identified malicious plugins on tens of thousands of WordPress websites.
An analysis of nightly backups of more than 400,000 unique web servers has revealed the existence of more than 47,000 malicious plugins installed on nearly 25,000 unique WordPress websites. More than 94% of these plugins (over 44,000) continue to be in use today.
Over 3,600 of the identified malicious plugins were purchased from legitimate marketplaces such as CodeCanyon, Easy Digital Downloads, and ThemeForest. The majority of these plugins did not use obfuscation to hide their malicious behavior, the academics say in a research paper.
The dataset used for the research spanned over a period of eight years, between July 2012 and July 2020, and revealed a steady increase in the number of installed malicious plugins, with the activity reaching a peak in March 2020.
According to the researchers, adversaries buy the codebase of popular free plugins and then add malicious code and wait for users to apply automatic updates. Attackers were also observed impersonating benign plugin authors to distribute malware via pirated plugins.
“While the website owners trusted the plugin ecosystem and spent a total of $7.3M on only the plugins in our dataset, we found that this trust is often broken for the attackers’ monetary gains,” the academics say.
For their analysis, the researchers built an automated framework for malicious plugin detection and tracking, called YODA, which was deployed against the dataset of 400,000 web servers belonging to customers of website backup provider CodeGuard.
Of the identified malicious plugins, more than 10,000 used webshells and code obfuscation. The researchers also identified cases of plugin-to-plugin infection, where a malicious plugin infects other plugins on the same web server, replicating its behavior.
Overall, more than 40,000 of plugin instances were infected post-deployment. In many cases, attackers abused the infrastructure to inject malicious plugins into websites, and then attempted to maintain access to the web servers.
Some of the behaviors in the identified malicious plugins were popular in late 2012, while others were introduced more recently. Regardless of age, however, the behaviors remain prevalent in present-day malicious plugins.
The researchers also discovered more than 6,000 plugins that impersonated benign plugins available through legitimate marketplaces, while offering a trial option to website owners, something that is not typically available in most paid plugin marketplaces.
The results of the analysis were reported to CodeGuard and work is underway to remediate the situation. However, the academics say that only 10% of website owners were seen attempting to clean up their installations, and more than 12% of the cleaned-up websites were reinfected.