3 Oct, 2018

Quttera WordPress Malware Scanner v.3.2.1.0

Release 3.2.1.0 of the Quttera WordPress Malware Scanner adds several valuable enhancements to an already powerful tool. Users who have the plugin installed can update it from the WordPress administrative dashboard
Release 3.2.1.0 of the Quttera WordPress Malware Scanner adds several valuable enhancements to an already powerful tool. Users who have the plugin installed can update it from the WordPress administrative dashboard. With the latest version, scanning is more thorough, including WordPress core directories.
Why Malware Scanning is Necessary
WordPress is a very secure CMS when used properly and kept up to date, but its popularity makes it the target of many attacks. A site that is out of date is vulnerable. Plugins and themes may have their own vulnerabilities, and they need to be updated for security patches. Any delay in applying updates can open a window of vulnerability.

Some themes and plugins, when they come from questionable sources, contain malicious code by design. Reputable plugins downloaded from not-so-reputable sites may be modified versions designed to perform unauthorized actions. It just takes one mistake for malware to slip through. Regular scanning of a site's files can catch that mistake before it results in serious harm.
New malware is constantly appearing, so scanning for the signatures of known varieties is insufficient. The protective software has to recognize patterns of behavior rather than just specific sequences of bytes.
Features of Quttera WordPress Malware Scanner
The Malware Scanner performs both an external and an internal scan. The internal scan examines the site's PHP and JavaScript source files for malware. The external scan simulates a browser and checks for suspicious behavior from the site. The purpose of having both scans is to maximize the chances of detecting both known and unknown threats.
Internal Scan
The internal scan examines all source files on the hosting server, including site-specific files, images, themes, and plugins. Starting with version 3.2.1.0, it also scans WordPress core files. Quttera's patented algorithms work with a threat intelligence database. The database is updated twice daily from ThreatSign's database.
Rather than relying on signatures of known malware, the scanner uses a heuristic scan engine to find suspicious behavior. This approach lets it find threats which aren't yet recorded in any database. It applies weighted rules, statistical methods, and flow analysis when examining the code.
The internal scan uses machine learning to update its behavior. It crowdsources the results of its previous analysis to update its rules and their weights. This makes it more accurate over time, catching more problems and reporting fewer false positives.

The threats in which the internal malware scanner looks for include the following:

  • Infected PHP, JavaScript, image, and other files. WordPress is based on the PHP language, and infected files can perform actions the owner didn't intend. Infected JavaScript can alter the behavior of pages in the browser or redirect to other pages.

  • PHP shell injection. This technique causes system commands to run on the server with the privileges of the website's account.

  • Backdoors. These are pieces of code surreptitiously installed that allow an outside user to modify the site's behavior or extract private information.

  • Ransomware. It encrypts the files on the target system and demands that the owner pay to get them restored.

  • Trojans ("Trojan horses"). Plugins or themes from dubious sources may claim to do something useful but conceal malicious code.

  • Mailers. An unauthorized code can send out spam email, unknown to the site owner.

  • Spyware. This category covers any code that reports information back to an unauthorized party.

The scanner's reports indicate a severity level of Malicious, Suspicious, Potentially Suspicious, and Clean. It may not be necessary to act on suspicious and potentially suspicious reports, but they should all be examined for any concerns they may raise.
The scan may return some false positives. The administrator can whitelist files which are erroneously reported. In addition, reported threats can be whitelisted if a site legitimately takes actions that the scan classifies incorrectly. False positives can be reported to Quttera's helpdesk so that appropriate adjustments can be made to the rules.
External Scan
The external scan runs on Quttera's servers to probe the owner's site for any vulnerabilities. It takes a purely outside view of the site and crawls each page. It reports the following situations:

  • Hidden iframes. A deprecated feature of HTML, iframes don't appear in normal WordPress sites. When planted by an infection, they can embed malicious external content at runtime.

  • Known malicious resources. A legitimate site which has references to known malicious or blacklisted sites has likely been infected.

  • Blacklisting. An infected site which has been pulled into a botnet or sends spam is likely to appear on lists of known dangerous sites. Browsers will display a warning or block it completely when people visit it.

  • Black hat SEO. Normal SEO tries to maximize your search engine rank; black hat SEO tries to drive it down by sabotaging your site's files.

  • Malicious JavaScript. Compromised JavaScript does its damage in the browser rather than on the server. It can try to download malware or redirect the user to another site. Malicious code in obfuscated JavaScript will be caught.

  • Malicious redirection. Unauthorized alterations to file headers or PHP code can redirect the user to another site, perhaps a lookalike.

  • Drive-by download attempts. An infected site takes advantage of vulnerabilities in browsers to download malware files without the user's consent or knowledge.

The administrator can request an external scan from the dashboard at any time.
New Features in 3.2.1.0
  • The Internal scan now uses the WP-Cron mechanism.

  • The internal scan now checks WordPress core files in addition to the website files. The first step in the remediation process is checking the integrity of the core files. Any infections that have modified these files will be detected during this step.

  • The internal scan will look for unknown files in the WordPress core directories. It will report any infections that added files to them.
Additional Support
Quttera WordPress Malware Scanner is free, but additional paid options are available to aid in the quick elimination of any problems it discovers. ThreatSign Website Antimalware plans, and the website protection services they provide are available at four levels to suit your business' needs.

Custom plans are available for large organizations. All plans come with unlimited repair requests, automatic malware removal, and blacklist removal.