In the latter half of 2019, malware known as WP-VCD was installed on more new WordPress sites than any other malware — and this trend is expected to continue in 2020. Here is what you need to know about WP-VCD.
Many small and midsized businesses use the WordPress content management system to create and run websites because it is free yet full-featured. Its widespread use, though, makes WordPress sites a popular target for cybercriminals.
A top threat to WordPress sites is malware called WP-VCD. In the latter half of 2019, WP-VCD was installed on more new sites per week than any other malware — and this trend is expected to continue in 2020, according to a December 2019 report.
Although cybercriminals created WP-VCD, they are not the ones installing it on WordPress sites. The site owners or developers have been unknowingly doing that. For this reason, if your business is using a WordPress site, you need to know some basic information about WP-VCD. By looking at the 5 Ws — what, where, why, who, and when — you can get a good idea of what this malware is all about.
What Is WP-VCD?
WP-VCD is malware that cybercriminals hide in pirated versions of commercial WordPress plugins and themes (i.e., pirated versions of plugins and themes that you would normally have to purchase from vendors). They offer the pirated plugins and themes for free to entice people to install them on their WordPress sites. Once installed, cybercriminals can easily insert and remove malicious advertising (aka malvertising) in those sites.
The malvertising generates revenue for the cybercriminals, as other attackers often pay to place ads on the compromised sites. The attackers’ ads might, for example, redirect visitors to malevolent servers or display pop-up boxes that contain malicious payloads.
Where Are the Pirated Plugins and Themes Found?
You might think that the pirated plugins and themes are peddled on shady sites that are hard to find because they are tucked away in the far recesses of the Internet. In reality, the distribution sites for the pirated plugins and themes look like most other software download sites. And these sites are not hard to find. When people search for popular commercial plugins or themes, the distribution sites often appear high in the search results, sometimes even before legitimate sites. The distribution sites rank high in the results because the cybercriminals use black-hat search engine optimization (SEO) code to drive search engine traffic to those sites.
You can find a list of known distribution sites for the pirated plugins and themes in the “WP-VCD: The Malware You Installed On Your Own Site” whitepaper.
Why Is the WP-VCD Campaign So Successful at Snagging Victims?
Despite being around for several years, the WP-VCD campaign is still very effective. Its continued success at snagging victims can be attributed to several factors. For starters, WP-VCD preys on human nature. People like to save money — and in small and midsized businesses where budgets can be tight, keeping costs down is often a necessity. Since the cybercriminals’ distribution sites appear high in search results and seem legit, many people are unaware that the plugins and themes they are installing in their sites are pirated and laced with WP-VCD.
Another factor keeping the campaign going strong is the sophistication of WP-VCD and its supporting command and control (C&C) infrastructure. For example, once the malware is installed, it scans the WordPress site for existing themes and installs itself in each theme found. This ensures the site stays infected if the pirated component is later removed from the site. WP-VCD also creates an administrator-level backdoor account in each compromised theme. This account lets the cybercriminals interact directly with the site. The malware even generates a password for the account so that other hackers cannot take advantage of the backdoor.
Although the cybercriminals can personally interact with infected WordPress sites, they most often let one of their C&C servers do the work. The servers issue commands that insert or remove malvertising, run black-hat SEO code, and perform other malicious actions.
Who Is at Risk of Becoming a Victim?
Any business with a WordPress site is at risk of having its site become infected with WP-VCD. Most at risk are companies that routinely install free versions of commercial plugins and themes on their sites, especially if they download those components from unfamiliar sites.
But even businesses that do not install any free versions of commercial plugins and themes are at risk if their WordPress sites are running in a shared hosting environment. WP-VCD has the ability to spread itself beyond the compromised WordPress site to the underlying web server. This means that other WordPress sites running on that server can become infected.
While visitors to compromised WordPress sites are not at risk of having their browsers or devices infected with WP-VCD, they are at risk of becoming malvertising victims — which is bad for them and bad for business. If word gets out that a company’s site has malvertising, existing and potential customers will likely avoid visiting it and sales could drop as a result.
When Will the WP-VCD Threat Go Away?
WP-VCD is not like most other types of WordPress malware. No amount of patching or firewalls can prevent an infection, according to security experts. That’s because businesses are unwittingly installing the malware on their own sites. As long as people want to save money, cybercriminals will continue to try to trick them into installing pirated plugins and themes that have WP-VCD hidden inside.
Since WP-VCD isn’t going away any time soon, businesses need to take measures to protect their WordPress sites. The most important thing you can do to prevent an infection is to resist the temptation of installing free versions of commercial plugins and themes, especially if you have to download those components from unfamiliar sites.
If you have downloaded one in the past or your WordPress site is running in a shared hosting environment, it is also a good idea to check your site for signs of a WP-VCD infection. We can scan your site for indicators and clean it up if it is infected.