SoakSoak Malware Compromises Over 100,000 WordPress Websites

Security Researchers recently discovered yet another threat to websites running a popular content management system (CMS), WordPress. This threat, which has been dubbed SoakSoak, is the latest malware threat specifically designed to target websites operating the CMS and has already resulted in over 11,000 domains being blacklisted by Google. WordPress has become extremely popular and can be found on the backend of nearly 60 million websites worldwide (meaning approximately 1 in every 6 websites run the CMS) so it’s no wonder hackers have started targeted the infrastructure more regularly in the last few months.

The ability to compromise a legitimate website has become an incredibly successful ploy for cyber criminals as most PC users have become increasingly wary of unsolicited spam email campaigns designed to infect machines with attached malware or via links to malicious sites. SoakSoak is the latest threat to plague WordPress-powered sites and works by redirecting visitors of compromised sites to the SoakSoak.ru domain.

Once visitors land on this malicious domain, an exploit kit looks for known vulnerabilities in the Web browser and/or plugins (namely Java, Flash and Microsoft Silverlight) to install malicious software using the all-to-common drive-by download technique that has become a staple in the modern hacker’s arsenal.

According to the Internet security firm Sucuri (which first discovered the thousands of blacklisted domains), SoakSoak modifies a file within the WordPress installation before loading JavaScript-based malware directly from the SoakSoak.ru domain. SoakSoak appears to target WordPress plugins rather than the WordPress CMS itself. The reason for this is simple – many plugins are not properly maintained by the developers and many webmasters forget to update these plugins even when updates are provided. This makes it relatively easy for hackers to engineer backdoors into the CMS via these outdated plugins (many of which are installed and not even used within the website’s infrastructure).

soaksoak malware

One of the theme plugins that is especially vulnerable to SoakSoak is known as RevSlider – an interactive slider commonly used on the homepage of WordPress-powered sites as a way to add a level of interactivity to the page. Unfortunately, RevSlider is a premium plugin often pre-packaged with themes used to change the overall appearance of a WordPress site. Since RevSlider is integrated into these themes, the webmaster is unable to update the plugin until the developers of the theme release an update that incorporates the new version of RevSlider. Sucuri estimates that well over 100,000 WordPress sites are currently using a vulnerable version of RevSlider and nothing can be done until developers of the themes with the outdated version release a secure update to the entire theme. This makes it rather easy for hackers to continue spreading SoakSoak and related malware via compromised sites while developers scramble to catch up. It’s also worth noting that many other plugins are potentially at risk but have yet to be identified.

If you are a webmaster operating one or more WordPress sites, the best way to protect these sites from SoakSoak is to ensure WordPress and all associated plugins are up-to-date and that if an antiquated version of RevSlider is being used, that plugin should be disabled until a patch is released for the particular theme containing the vulnerability.

PC users can avoid malware infection by SoakSoak compromised sites by ensuring the Windows OS, antivirus software and all Web browser plugins are updated regularly. Better yet, if you do not actively use vulnerable plugins such as Flash and Java, remove them from the system completely to further protect your PC from SoakSoak and associated malware threats.

Cynthia

This was such a pain. I have over 10 website and 5 of them were infected. After spending hours looking for a fix I was able to get my sites cleaned. For those affected, let me save you time.

1) The culprit is the wordpress plugin RevSlider (also called Revolution Slider), remove it if you can, else update the plugin immediately.

2) Install a wordpress plugin called Wordfence, which will tell you exactly which files are affected and will help you restore the original clean files.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal