[New sniff] Malware/worm sniff

[jrfnl]

Rule type:

Error

Rule:

Verify a number of typical php snippets which are known as malware indicators

The list of snippets might need to be expanded. Input welcome.

Theme check file covering this rule:

https://github.com/WordPress/theme-check/blob/master/checks/worms.php

Decision needed:

A list needs to be compiled with code snippets to be sniffed for & approved by the TR board.

Notes for implementation:

• In this case, you can probably not easily sniff for a specific token type. It might actually make sense to create separate sniffs for each type of worm/malware injection so the individual sniffs can be optimized instead of sniffing for lots of different tokens and doing all the checks in one file.
• If checks would still be combined within sniffs, I'd suggest creating a function per typical injection/worm/malware type using their common name to identify the treat being sniffed for.

To do:

• [ ] Clarify the rule in the Theme Review handbook. I'm presuming there is a "don't be a bad citizen" rule, but this might need to be expanded on ?
• [ ] Create unit tests
• [ ] Create new sniffs

[dingo-d]

Triage resolution: This should be added to the checks. The initial list from the theme check can be used and it can be expanded on.

@ernilambar mentioned wp-vcd.php, not sure what it is, but it can be added to the list.

[ernilambar]

Ref: https://www.wordfence.com/blog/2019/11/wp-vcd-the-malware-you-install-on-your-own-sites/

[jrfnl]

I wonder if it would be a better idea to add these sniffs to WPCS in general and then include them from WPTRT ? Or alternatively add them to the PHPCS Security standard and add sniffs from that ?

[dingo-d]

We are not including that standard atm, but I'm for it 👍 Anything that helps with the security is ok in my book 🙂

[jrfnl]

@dingo-d FYI: The Security standard needs some work (and a new release) before it could be considered for inclusion, but it's something to keep an eye on for the future for sure.

[dingo-d]

Do we have an estimate when this new release would be, because if it's too far in the future maybe it wouldn't be a bad thing to have this sniff either here or in the upstream (WPCS) before.

[jrfnl]

No release planning known to me, though I am trying to help box the project into shape, so will let you know when I know more.

Once sniffs are written for this, they can always be upstreamed later anyway (and yes: I do still think having separate sniffs for the separate threats will be a good idea).

It may also be a good idea to have a look at the Security standard already to see if sniffs already exist for some of these so energy will be spend on adding the missing ones first.