If you own or manage a small to medium-sized business, then you should be aware of the widespread wp_vcd malware attack that is compromising WordPress users across the globe. With the number of WordPress users growing by the day, wp_vcd presents a widespread threat to anyone who uses WordPress. Below is a look at wp_vcd malware and the steps you can take to remove the threat and protect your website from future attacks.
What is wp_vcd?
wp_vcd is a troublesome malware strain that creates a backdoor, giving hackers access to your website. It was initially discovered online by Manuel D'Orso, an Italian security researcher. It has been affecting websites for the past couple of years. The malware achieves this by creating an admin account with a password that can allow hackers to access your website for lengthy periods of time. wp_vcd may also inject SEO spam or other unauthorized content into your website to aid the hackers in their mission.
Who is at Risk for wp_vcd?
Any website that uses WordPress is at risk for wp_vcd. Currently, about 19,500,000 websites on the web use WordPress and the number of users is growing by the day. Business owners with outdated WordPress plugins and themes are especially at risk for wp_vcd.
How is the Latest Version of wp_vcd Different?
In recent days, users have been infected with a different version of wp_vcd. In this most recent version of wp_vcd, the malware payload containing the malicious links is dropped in a wp_includes/wp_xxx.php file instead of the wp-vcd.php file. To detect the new version, you must search for the following strings in your files:
You can locate the "themes level" infection by using the following string in your search: "if (isset($_REQUEST['action']) && isset($_REQUEST['password'])"
Another key feature is the malicious domains associated with the latest variant of wp_vcd. Payload analysts have identified the following domains to be injecting the malware:
Upon execution, the payload then redirects visitors to other websites. For instance, in the example below, visitors accessing go.onclasrv[.]com will be redirected to cobalten[.]com, which currently displays an empty page:
#curl -v 'go.onclasrv.com/apu.php?zoneid=1622486'
* Connected to go.onclasrv.com (184.108.40.206) port 80 (#0)
> GET /apu.php?zoneid=1622486 HTTP/1.1
> Host: go.onclasrv.com
> User-Agent: curl/7.47.0
> Accept: */*
< HTTP/1.1 302 Moved Temporarily
< Server: nginx
< Date: Sat, 01 Sep 2018 10:14:29 GMT
< Content-Type: text/html
< Content-Length: 154
< Connection: keep-alive
< Location: http[:]//cobalten[.]com/apu[.]php?zoneid=1622486
< Strict-Transport-Security: max-age=1
< X-Content-Type-Options: nosniff
< Timing-Allow-Origin: *
As of this writing, if you query just for the first cobmination of one of the strings with the malicious domain (see image below) you will get 6,057 infected websites (reference publicwww).
Why is wp_vcd so Troubling?
WP-VCD presents multiple challenges to businesses because of its widespread scope. As the most popular CMS for the last several years, the potential for harm is extensive. Failure to remove wp_vcd can cause short-term and long-term problems for your organization. Here are four primary reasons why wp_vcd is posing such a threat to businesses across the globe.
1) Roughly 30 Percent of the Web is Now Powered by WordPress
"WordPress now powers 30 percent of the web, according to data from web technology survey firm W3Techs. This represents a 5 percentage point increase in nearly two and a half years after WordPress hit the 25 percent mark in November 2015."
With nearly one-third of the web at risk for wp_vcd, the potential for a business to be impacted is high. The threat is especially pronounced when compared to the risk posed by malware that infiltrates other CMS providers such as Joomla, Drupal, Magento, and Shopify, who combine for less than 10% of users.
2) wp_vcd is Costly
Malware such as wp_vcd presents a costly problem for business owners. Website downtime, resources spent troubleshooting, and costs related to the removal of wp_vcd can hinder a company's productivity and cash flow.
3) Hackers are Able to Access Your Website for Extended Periods of Time
wp_vcd creates a convenient backdoor for hackers to access your website and launch connections to infected sites. In many cases, the malware is not detected until weeks or months after the backdoor is created. This is because hackers often strategically plan to launch their attacks at a later date.
4) wp_vcd can Impact Multiple WordPress Subdomains
WordPress users with multi-site WordPress installations bear an especially high risk for wp_vcd. This is because the malware can infiltrate all subdomains or subdirectories where you have installed WordPress separately.
How Can You Remove wp_vcd From Your Website?
Swift removal of wp_vcd is vital to smooth website operation and file protection. Fortunately, removing wp_vcd is a fairly straightforward process. Here are five simple steps to help you remove wp_vcd from your website:
- Step 1: Thoroughly scan your website using ThreatSign
- Step 2: Review your scan report to identify the specific files that are infected with wp_vcd
- Step 3: Make sure every infected file is removed from your website
- Step 4: Scan your website again to confirm that you have successfully removed the infected files
- Step 5: Focus on preventing wp_vcd from infecting your website in the future
Of the five steps above, steps one and five play the most important role in the removal process. The most accomplished anti-malware providers have the tools to help you remove and prevent wp_vcd, provide guidance on steps 2, 3, and 4 or even do the work for you.
What Steps Can You Take to Prevent wp_vcd?
Removing wp_vcd is vital to restoring your website's functionality. Once you have removed wp_vcd, business owners need to focus their resources on prevention. Preventing wp_vcd requires a proactive approach and ongoing attention to detail. Below are some key measures you can take to prevent wp_vcd:
1) Maintain Your Company’s Firewall
While this measure may seem elementary, firewall maintenance is essential to preventing wp_vcd from infiltrating your website.
2) Always Update Your Themes
Because wp_vcd malware has been spotted within legitimate WordPress files released in 2015 and 2016, it is critical to update your WordPress themes. Use care and discretion when selecting your WordPress themes to ensure that you do not select one that is associated with malware.
3) Scan Your Website for Malware
Continuous malware scanning (anti-malware monitoring) is a vital part of website security. It is important that you employ both internal (server-side) and external (client-side) types of scanning to get a comprehensive security report.
4) Use Beyond Compare on a Regular Basis
Getting into the habit of regularly comparing your files and folders is a great way to isolate changes to your website and files. Beyond Compare is an agile, multi-faceted data comparison tool that allows you to efficiently conduct side-by-side comparisons of your files, directories, and archives.
The Bottom Line
Protecting your website and business from wp_vcd is critical for any business that uses WordPress. While wp_vcd is not necessarily the most dangerous malware affecting websites, it should be a top concern for owners of the 19,500,000 websites that use WordPress. Fortunately, you can play an active role in protecting your business from wp_vcd by monitoring your website and signing up for Quttera's ThreatSign.
If you would like to protect your business from wp_vcd and other malware just sign up for ThreatSign. Featuring unlimited malware removal and hacking repair, ThreatSign is the ideal solution for businesses with websites that have been the target of wp_vcd and hackers. You can even opt for ThreatSign plans that guarantee a four-hour response time and continuous malware scanning every thirty minutes.