As of late I have been seeing a lot of traffic on various mediums, WordPress.org, Twitter, and Facebook about this new plugin – WordFence. It hasn’t been around for too long I don’t think, maybe 6 months or so, and I have been getting a lot of questions around its effectiveness, etc…
I get this a lot and more often than not my answer is usually pretty neutral, “You know, I’m not sure I have not personally tried them, but I encourage you to and let me know how it works” or “Nope, no thoughts on it, but I hear good things.” Well today, for whatever reason I decided to give them a whirl. If you know what I do then you know web security is a bit of my life these days. Like many others I often obsess over would be competitors and its good to understand what might be chomping at the heels.
With that being said, this post will hopefully serve as an unbiased, hopefully, review of a plugin that is getting a lot of positive remarks from end-users. The focus will be to measure its effectiveness in detecting web-malware on a basic WordPress website.
Full Disclosure (Update 20120704): It’s important to note that I am an executive at Sucuri Security and this is my personal review, not performed by my company. By all rights, this would be categorized as a competing product and its important to note that. I hope to be objective and rational in my review and hope that the readers keep me honest. Arguments can be made as to whether I should or shouldn’t write this post, but its an interest of mine and I choose too. If you feel strongly about it one way or another feel free to let me know.
The other day someone posted on Facebook that the company had been around for 12 years, I about fell out when I read that. They have not, their parent company – Feedjit Inc. has been around since 2007 and their focus has been on providing real-time analytics and real-time ad servicing solutions, not web security specializing in web-malware. It is important to note however that the founder, Mark Maunder, is the one credited with the disclosure of last year’s TimThumb outbreak – kudos to you sir.
At first glance I was fairly impressed. It had this 2.0 feel to it and its aesthetics were very appealing to me. I found myself a bit envious of the user experience.
In terms of features the plugin appears to offer three key features:
- Live Traffic
- Blocked IPs
In this post I’m going to specifically test the effectiveness of the scanner. Its the one that is of most value to me.
I just happened to have a number of different malware payloads readily available to me.. not sure why.. :).. so I used that to infect a test site.
To set the stage for the environment:
- Working off a sandbox environment
- Running WordPress 3.4
- Barebone installation
- Strategically placed payloads nothing fancy
- Running the WordFence Premium – Pro version
- Running Twenty Eleven Theme
Not using any new malware varients. All variants have been around for no less than 2 months.
This are the results I get when I run the scan:
[Jun 20 01:07:48]Preparing a new scan.Done.
[Jun 20 01:07:48]Comparing core WordPress files against originals in repositoryProblems found.
[Jun 20 01:07:48]Premium: Comparing plugin files against originals in repositorySecure.
[Jun 20 01:07:48]Premium: Comparing theme files against originals in repositorySecure.
[Jun 20 01:07:48]Scanning for known malware filesSecure.
[Jun 20 01:07:58]Scanning file contents for infections and vulnerabilitiesSecure.
[Jun 20 01:07:58]Scanning files for URLs in Google’s Safe Browsing ListProblems found.
[Jun 20 01:08:03]Scanning posts for URL’s in Google’s Safe Browsing ListSecure.
[Jun 20 01:08:08]Scanning comments for URL’s in Google’s Safe Browsing ListSecure.
[Jun 20 01:08:11]Scanning for weak passwordsSecure.
[Jun 20 01:08:15]Scanning DNS for unauthorized changesSecure.
[Jun 20 01:08:16]Scanning to check available disk spaceSecure.
[Jun 20 01:08:17]Scanning for old themes, plugins and core filesSecure.
[Jun 20 01:08:19]Scan complete. You have 7 new issues to fix. See below for details.Scan Complete.
Before starting the following files were infected and / or added to act as backdoors:
- .HTACCESS was modified to include a redirect to a known malicious domain with an associated backdoor payload – http://rolyjyl.ru/count30.php
- Backdoor was dropped in the root of the themes directory – toolspack.php
- Backdoor was dropped in the root of a custom directory in themes – a.php
- Backdoor was dropped in the root of a plugins directory – hello.php
- Backdoor was dropped in the root of wp-includes – i.php
- Obfuscated PHP in root of uploads/2012/ – test.html
- Directive to treat HTML as PHP in wp-content – .htaccess
After running the scan the following issues were found:
Two Critical Issues Were Found:
Right off the bat it flagged two files as critical, great. Now let’s take a look.
First, its the .htaccess file. Good, this is a very common redirect to a nasty little payload so kudos on the catch.
The second one though is ok, false-positive. False positives happen all the time, not knocking them for the warning. Prefer that over a false negative. That being said, I do like the file viewer feature, very nice.
Five Warning Issues Were Found:
Good job on the integrity checks, that’s what these are, pretty straight forward to implement. Easy ways to identify whether something is off. From this it was able to identify the one backdoor at /wp-includes/i.php. It’s more a critical issue than a warning, but I can live with the warning. Unfortunately everything else is a bit irrelevant just some log files.
What It Didn’t Find
I was a bit disappointed that I paid for the Pro service and none of the backdoors were displayed. What was most disappointing is that I would expect the results above if the scan was restricted to HTTP, but its not. It’s installed and running server-side, this in itself should have improved its detection capability and accuracy.
I won’t go into each backdoor but I will cover a few:
The A.PHP Backdoor
This is snippet of the payload:
You’ll have do a few levels of decoding but at some point you’ll come to this injection:
The Test.HTML File
By itself it wouldn’t do anything, but when you look at the .htaccess directives you’ll be able to treat this file as a PHP and execute remotely.
The TOOLSPACK.PHP Backdoor
So this one has been out for a while and you can read more here: http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html It’s a basic backdoor that allows remote execution on your server.
My Final Thoughts
So, all the being said. My opinion is that when it comes to scanning for malware, its not the most effective for me.
Most of the things I tested are basic backdoors and injections and I would expect them to be found, especially for a paid service. There are a few things like the directives to switch .html to .php that I can understand how they are not. I didn’t share all the payloads but the three files I covered talk to the different variations that were used. In terms of doing integrity checks it seems to do a good job, but that’s pretty standard, in terms of its detection features, its not something I would not personally bet on. This is not to say it will always be like this, it’ll likely improve with time, but as it stands its detection means does not appear to be effective enough for today’s web-malware issues.
Its important to understand that the tool is not all bad. The user experience is great and I really like its Live Traffic feature, it seems to be built on the engine from the parent company which is really awesome. The blocked IPs is nice, but i wasn’t able to effectively test. My bag of tricks fell short when I needed a number of bad IP’s to test from..:(
I hope this helps.
Please note that I’m not unrealistic, even at my own company we don’t capture every issue, its not practical. In fact, in most cases AV’s often only have a 70 – 80% success rate in their detection rates.