Eight-Year Study Finds 24,931 WordPress Sites Using Malicious Plugins

"Since 2012 researchers in the Georgia Tech Cyber Forensics Innovation Laboratory have uncovered 47,337 malicious plugins across 24,931 unique WordPress websites through a web development tool they named YODA," warns an announcement released Friday: According to a newly released paper about the eight-year study, the researchers found that every compromised website in their dataset had two or more infected plugins.

The findings also indicated that 94% of those plugins are still actively infected.

"This is an under-explored space," said Ph.D. student Ranjita Pai Kasturi who was the lead researcher on the project. "Attackers do not try very hard to hide their tracks and often rightly assume that website owners will not find them."

YODA is not only able to detect active malware in plugins, but it can also trace the malicious software back to its source. This allowed the researchers to determine that these malicious plugins were either sold on the open market or distributed from pirating sites, injected into the website by exploiting a vulnerability, or in most cases, infected after the plugin was added to a website. According to the paper written by Kasturi and her colleagues, over 40,000 plugins in their dataset were shown to have been infected after they were deployed. The team found that the malware would attack other plugins on the site to spread the infection.

"These infections were a result of two scenarios. The first is cross-plugin infection, in which case a particular plugin developer cannot do much," said Kasturi. "Or it was infected by exploiting existing plugin vulnerabilities. To fix this, plugin developers can scan for vulnerabilities before releasing their plugins for public use."

Although these malicious plugins can be damaging, Kasturi adds that it's not too late to save a website that has a compromised plugin. Website owners can purge malicious plugins entirely from their websites and reinstall a malware free version that has been scanned for vulnerabilities. To give web developers an edge over this problem, the Cyber Forensics Innovation Laboratory has made the YODA code available to the public on GitHub.

Seems a tad low

[93 Escort Wagon]

Wordpress supposedly drives 30% of all websites. How many websites are there in total? 1,139,467,659 [siteefy.com]

"Currently, there are around 1.14 billion websites in the World. 17% of these websites are active, 83% are inactive."

24,931 is an absurdly tiny fraction of those. I have to question the value of this YODA tool.

Re:Seems a tad low

[fahrbot-bot]

"Currently, there are around 1.14 billion websites in the World. 17% of these websites are active, 83% are inactive."

24,931 is an absurdly tiny fraction of those. I have to question the value of this YODA tool.

Well... I imagine it matters proportionally to the importance and popularity of those sites. A blanket statement based simply on the number/proportion of sites is meaningless. It's like this exchange in the movie The Fifth Element [wikipedia.org]:

Billy Masterson (Luke Perry): So when is this snake act supposed to occur?
Professor Pacoli (John Bluthal): Every 5,000 years.
Billy Masterson: So I've got some time, then.

Billy doesn't know how many years have already passed since the last event, so simply thinking he's "got some time" is, well, uninformed. The next time could be tomorrow.

That's not what it does. 11.75% infected in a way

[raymorris]

The study wasn't to find every infected web site on the internet. The study was to see how CMS infections happen and how that changes over time.

The tracked 400,000 web sites. Of those 11.75% were infected in a way that their tool could automatically detect remotely, and see where the infection came from. If you want a "how many" number, figure about 12% of Wordpress sites are infected.

That's all background information presented before the Introduction portion of the paper. If you'd like to know:
How infections happen today
How that's different from 10 years ago
How many flows in the infection economy
How they can be detected automatically
then you can read the paper, which covers those.

Disclaimer:
While I was at the Ga Tech School of Cybersecurity during this time period and did review student papers, I was not involved in the production or review of this paper.

* Typo - money. How MONEY flows

[raymorris]

That should be:

* How MONEY flows in the infection economy

People get paid to infect sites, and steal money through infections. The paper has some info about that.

Re:

[fermion]

What I really see here is not the number, but how many of these infected websites have actual users. Wordpress is heavily promoted and is likely the profit center for many shared hosting companies because no one accesses them. So even if there are q00 million infected sites, 10%, is this even 100 million unique end users?

Re:

[raymorris]

Do you have some reason to think that the infected Wordpress sites they didn't study got infected in different ways than the ones in their random sample?

Do you have some reason to think the infection was monetized differently?

Are you simply unaware of the concept of samples in science?

Time to disconnect them...

[gweihir]

I think it is time to regularly scan servers and, after a warning, simply disconnect the vulnerable ones if nothing gets fixed. It is basically an act Internet health, comparable to cleaning the streets or enforcing traffic laws in meat-space. We will probably hate to do this eventually, far too many clueless people are running servers and this allows far to easy hop-off servers for attacks and DDoS zombies.

WordPress is garbage

[Dracos]

And has remained fundamentally unchanged since its initial release in 2004. A plate of spaghetti code sauced with bad practices and topped with meaty ignorance of security.

The most infuriating codebase I have ever read, and a master class in how to write PHP badly. The last remnant of the not-undeserved poor reputation of PHP4.

Re:

[cascadingstylesheet]

And has remained fundamentally unchanged since its initial release in 2004. A plate of spaghetti code sauced with bad practices and topped with meaty ignorance of security.

The most infuriating codebase I have ever read, and a master class in how to write PHP badly. The last remnant of the not-undeserved poor reputation of PHP4.

Utter nonsense, for anybody who actually works with it, provides support to clients, programs custom plugins, etc.

No software is perfect, but in its problem space (Drupal, Joomla, etc.), WP is far and away the best now.

Re:

[DontBeAMoran]

Maybe you're thinking of WordPress in terms of security.
Maybe he's thinking in terms of features and ease of use.

Some people think Apple hardware is overpriced.
Some people think Microsoft makes garbage software.

Not everyone bases their opinions on the same facts.

Re:

[Opportunist]

Wordpress itself got way better over time, and certainly it's better than its reputation. The problem remains the hodgepodge of plugins.

It's a bit like the nodejs problem. Everyone and their dog creates a nifty little plugin, which is then picked up by various other people. Usually people who know even less about programming, and security, than the person developing the plugin. And sooner or later, usually sooner, that person stops giving a fuck about the plugin they created and nobody takes over the projec

Re:

[Opportunist]

I absolutely understand your position, but please be aware that the problem still isn't with WP itself but with the plugins, and the site owners who know fuck all about how to secure their pages.

Don't get me wrong, I'm the last person who'd defend WP. It's an overhyped, underperforming piece of half-baked garbage that pretty much has to rely on plugins to even offer a decent user experience. All it has going for it is that it's easy to use and free.. Which is also its main problem: It's used by idiots who d

That's all?

[cascadingstylesheet]

WordPress powers almost 50% of websites now ... so you are saying that it's completely awesome?

Um ... no

[raymorris]

If you see a news story that says "8-car pileup caused by spilled coffee", do you conclude that's the only traffic accident in the state?

This is a study about how CMS sites get infected, and how that changes over time. It's NOT identifying every infected web site.

They looked at 400,000 sites. Of the 400,000 they checked with their tool, they were able to remotely identify infections by known malware on 12% of them. I wouldn't call that "completely awesome".

I’ve always hated CMSs

[Pig Hogger]

I’ve always hated to use CMSs; they never do exactly what you want and they’re a pain to master, especially when you have to use plug-ins.

Whenever I did a website, I did my own thing. And when I was maintaining one such website, one day, I see strange garbage strewn accross my PHP code.

Turns out the server had been compromised, and every file was injected with malicious code, but only if it was part of a Wordpress website

Because of this, the web hoster yanked every Wordpress website from his server, except mine, which, despite being riddled with malware, did not do anything harmful because the malicious code was never called by Wordpress

That definitely cured any idea I might subsequently have about using a CMS

Re:

[narcc]

Very wise.

Eight Years?

[Blackeneth]

Just how slow is this software?

That's quite low.

[Qbertino]

WP has north of 70 Million active installations. 25k of malicious extensions is but a drop in the bucket, if at all.

Given WPs installbase it is actually quite secure.

YODA how to?

[MauriceV]

Does anyone know how to run YODA?