At the end of November 2017, information security specialists told about a new Wp-Vcd malware that attacks websites running WordPress. The malware uses already known vulnerabilities in plugins or the CMS itself for attacks and disguises itself as legitimate WordPress files. If the attack is successful, a new, hidden administrator account (login 100010010) is created on the infected sites, which the attackers can then use as a backdoor. A detailed description of Wp-Vcd, for example, was published by Sucuri researchers. Now Sucuri analysts have decided to supplement their initial report new facts . For example, experts have learned that attackers use Wp-Vcd-infected sites to inject spam on their pages. Often, such ads refer users to third-party sites that distribute “pirated” plugins, themes, and scripts for various CMS, including WordPress. That is, these originally paid themes and plugins were allegedly “cleaned up” by attackers and are now distributed completely free of charge.
Specialists warn that it is with the help of such hacked WordPress themes that Wp-Vcd is distributed. The researchers write that all files of such themes are dated by the same number, but two files are always different from the rest – these are functions.php and class.theme-modules.php. It is in these files that Wp-Vcd is hiding. For example, if you carefully examine the functions.php above, you can find the following line. Researchers remind site operators that it can be dangerous to use “pirated” products of this kind. After all, as you know, if you do not pay for the product, then you yourself become the product.