YODA Tool Found ~47,000 Malicious WordPress Plugins Installed in Over 24,000 Sites

YODA Tool Found ~47,000 Malicious WordPress Plugins Installed in Over 24,000 Sites

Category: WordPress

Tags: wordpress

Date: June 19, 2022

As many as 47,337 malicious plugins have been uncovered on 24,931 unique websites, out of which 3,685 plugins were sold on legitimate marketplaces, netting the attackers $41,500 in illegal revenues.

The findings come from a new tool called YODA that aims to detect rogue WordPress plugins and track down their origin, according to an 8-year-long study conducted by a group of researchers from the Georgia Institute of Technology.

“Attackers impersonated benign plugin authors and spread malware by distributing pirated plugins,” the researchers said in a new paper titled “Mistrust Plugins You Must.”

“The number of malicious plugins on websites has steadily increased over the years, and malicious activity peaked in March 2020. Shockingly, 94% of the malicious plugins installed over those 8 years are still active today.”

The large-scale research entailed analyzing WordPress plugins installed in 410,122 unique web servers dating all the way back to 2012, finding that plugins that cost a total of $834,000 were infected post-deployment by threat actors.

YODA can be integrated directly into a website and a web server hosting provider, or deployed by a plugin marketplace. In addition to detecting hidden and malware-rigged add-ons, the framework can also be used to identify a plugin’s provenance and its ownership.

It achieves this by performing an analysis of the server-side code files and the associated metadata (e.g., comments) to detect the plugins, followed by carrying out a syntactic and semantic analysis to flag malicious behavior.

The semantic model accounts for a wide range of red flags, including web shells, function to insert new posts, password-protected execution of injected code, spam, code obfuscation, blackout SEO, malware downloaders, malvertising, and cryptocurrency miners.

Some of the other noteworthy findings are as follows –

“Using YODA, website owners and hosting providers can identify malicious plugins on the web server; plugin developers and marketplaces can vet their plugins before distribution,” the researchers pointed out.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

This content was originally published here.

You may also like…