Open source is fantastic because you can build upon the code of others. It's also horrible because you can build upon the code of others. This means someone can take a well-developed plug-in, make one or two minor changes, and redistribute an almost identical system to yours while taking all of the credit. So, as many of us have said over the past week, whenever evaluating any open source system (whether it's free or paid), you need to consider the source.
Do you know of the developer? Do you know of the distributor? Have you seen good work from them in the past? Do you trust them?
Yesterday, a well-known theme developer named Chip Bennett (@chip_bennett) discovered that someone was distributing his themes with an embedded worm. I was quick to tear the worm apart and figure out how it worked, so was one of WordPress' core developers.
The Website
The website distributing the hacked theme is called top-themes.com. A deep whois search shows the domain is registered to a developer in the Ukraine who, as far as I can tell, has no relation to the WordPress project. However, he is distributing several themes from well-known WordPress developers on his site.
The Worm
Every one of the themes on this site comes pre-installed with a worm that's very difficult to find. This worm is a ZIP file that's hidden inside the theme's screenshot.png file. The themes' functions.php file is appended with a function that splits the actual screenshot image apart from the ZIP file, expands the contents of the archive, and places them inside a separate directory inside your theme.
Then, the worm adds some code to the top of the functions.php file to load a file from this new directory. Finally, having set up your site to automatically launch the files it contained, the worm removes itself from your site.
The Backdoor
The files the worm placed in your site expose a PHP shell utility to the author of the worm. They can now log in to a backdoor of your site using a username and password known only to them. It gives the user free reign over your files, your settings, and your content. They can do whatever they want and leave you to clean up afterwards.
The backdoor files also automatically contact the worm author to let you know there's a site open and ready to be violated.
The Point
Chip builds great themes and websites. As a true open source contributer, he gives away much of his work for free. Another developer has taken advantage of Chip's hard work and is using it to distribute insecure, harmful systems that, sadly enough, still bear Chip's name as the developer.
It's hack developers like those at top-themes.com that give free WordPress systems a bad name. But keep in mind that several paid systems also have worms. I've had to remove quite a few from client sites, so paid-versus-free is not a good indicator of the safety of any one plug-in or theme.
Protect Yourself
To protect your site, always always always verify that your download is actually coming from where it's supposed to. If I wrote it, it will only be available on my website, from the official WordPress repositories, or from projects I manage on Google Code. If you find my system on a website run by a guy in Ukraine, it might have a worm. Just stop there and download it somewhere else.
The only real way to combat hacks is to ignore them. Download from legitimate sources, and consider the source you're downloading from. Make sure, whether it's a free or paid solution, that you're getting the genuine article.