Note: Are you interested in how the Jetpack team investigates malware to help protect your site? Then we’ve got you covered. The takeaways are for everyone, but the second half of the article does require some technical knowledge of how WordPress works.
Creating your new business website or your personal blog is really exciting! Choosing a nice theme which will showcase your vision and selecting the proper plugins to deliver the best user experience is not an easy task, and it will most likely add to the cost of having this project up and running. Pirating software may be tempting as an easy cost-saving measure.
Besides software like Windows 10, Microsoft Office, or Adobe Creative Suite, you’ll find pirated WordPress extensions out there too. Downloading plugins and themes from sites that aren’t licensed distributors will only add to your cost in the long run. Let me explain why.
In 2018, BSA published the Global Software Survey, where it states some striking numbers:
- 37% of all software installed on personal computers is unlicensed
- The cost of fixing malware or viruses installed from pirated software is nearly $360 billion a year
Some may argue that a pirated WordPress theme or plugin will do no harm to their computer, or doesn’t even represent a threat to their information since it’s running on someone else’s computer (also known as the cloud). This couldn’t be more wrong.
Question the sales pitch
Many software engineers rely on other companies to distribute and sell their work. In addition to legitimate distribution avenues, there are pirated software websites. They don’t have to worry about engineering code because they steal it to profit. They spend their time focusing on the sales pitch, since their only goal is to get you to download and install their pirated software.
Why pay the developers and the distributor if you can get it for free?
We encourage you to be cautious of any site that has lots of ads and download buttons which can confuse you and increase their bottom line by increasing their site clicks. Also, be on the lookout for clear violations of distribution like the example in the image above.
The deal with Mephistopheles – Reading the fine print
From German folklore, Faust, aiming gain more knowledge and power, made a deal with the Devil. Similarly, sites that provide pirated versions of WordPress extensions are not clear on what they’ll get in return, so you’re taking all the risk.
Don’t worry, we are here to help you understand the deal you’re really signing.
I downloaded this Cinematix Theme from a shady theme site. Immediately I noticed that the content of readme.txt file is the same as version 2.3 of default Twenty Seventeen theme.
We advise you do not do this yourself, but since we’re security professionals I went ahead and followed the instructions. I renamed the directory name from nld_theme_index to cinematix. This felt completely unnecessary and in fact it was.
In the themes section of my wp-admin I could see that the theme was installed but it seemed off because there was no preview picture. Perhaps if I activate it, then it will work?
After activation, I got a nice little message that I have to purchase the software! You will never be asked to purchase a theme license for a free theme from the WordPress directory. There are many great premium themes that require a purchase but that usually comes before you download. Do not pay for themes that you did not download from the developer or company that created them.
In the name of science, I’ll remove this lock and use the Cinematix theme for free.
As predicted, this “Cinematix Theme” is actually just the free open source Twenty Seventeen theme in disguise. We saw this coming by looking at the readme.txt earlier.
Let’s dig into the code and see what we can find, but where do we start? The fake theme already gave us a hint when it tried to convince us to pay for a license we didn’t need. The THEME LICENCE INVALID, PLEASE PURCHASE message is not part of Twenty Seventeen and can be our guide to locate other nasty stuff.
I found this message on /inc/template-tags.php, which is also present on the original theme. However, the code isn’t, and it’s our first Indicator Of Compromise for this malware.
function licence_invalid() {
echo '<h1 style="color:red;">THEME LICENCE INVALID, PLEASE PURCHASE.</h1>';
die;
}
add_action('template_redirect', 'licence_invalid');
- SHA1 – f0df1a134caf09e79b6e852dbcf853cbca4e04f6 nld-theme-index/inc/template-tags.php
- MD5 – 7cb7118ed422d867b2fd0f607b056581 nld-theme-index/inc/template-tags.php
Everything that preceded that function was of course malicious and dangerous; let’s take a look:
The first function there ( getUserIpAddr()) is not bad by itself, but it’s used by the activate_nulled_theme() to provide information of the compromised site when phoning home.
The first thing it does is adding the wp_rest_apiuser as an Administrator to the site, and here we have our second Indicator of Compromise.
Not only are they trying to get you to buy a license you don’t need but they are also “phoning-home” (an opportunity for the malicious code to share information about your website with the author of the fake theme). You can see the code to phone-home in the wp-remote_post function, where it’s set to send your site’s URL, IP address, and credentials.
For those of you reading who aren’t experts what we are seeing here is that the malicious code in this pirated theme going to send a username and password to hackers so they can log into your site. This will give them access to private content, orders from e-commerce shops, and give them full control of your website.
In addition to all that, it drops a copy of this code /inc/adminindex.php to wp-includes, wp-admin and wp-content/uploads. Can you guess what this file does?
It is a File Upload Backdoor, giving the attacker your site’s address, an admin user, and a way to drop in any additional malware they want to add. This is our last indicator of compromise, though at this point it’s just icing on the malicious cake.
- SHA1 – 6ab059929f89a77c698619a88de756f69a9f8c53 nld-theme-index/inc/adminindex.php
- MD5 – 940864af2095f4fcfa646d45c1dd2366 nld-theme-index/inc/adminindex.php
Conclusion
Using pirated software can seem like an easy way to cut costs, but behind the curtains, it can be doing terrible things to your site and later to you or your visitors. Exploit kits, as our friends at MalwareBytes shared on this post, can be added to your site using this File Upload backdoor or the wp_rest_api user and used to attack any visitor’s browsers.
We strongly recommend that you have a security plan for your site that includes malicious file scanning and backups. Buying your software allows developers to continue their work, but more importantly, ensures your site and visitors are safe.
Explore the benefits of Jetpack
Learn how Jetpack can help you protect, speed up, and grow your WordPress site.
Get up to 50% off your first year.
Compare plans
Jetpack 
Great article. Very liked how you actually dive deeper and actually investigated what actually happens instead of just saying its unethical and “””illegal””””.
Also what’s with the title being about a “Plugin” but you talk about a theme…. (feel free to delete after)
Anyways, looking forward to more nulled plugins/theme investigations.
LikeLiked by 1 person