Google blacklists 11,000 WordPress sites infected with Soak malware

The users of WordPress,  a free and open source content management system (CMS) and blogging tool, have been  informed by security firm, Sucuri, that a widespread malware attack campaign, known as ‘SoakSoak’ has already managed to compromise over 100,000 websites, though the firm is warning that this could potentially only be the tip of the iceberg. The news follows hot on the heels of Google’s malware campaign which blacklisted more than 11,000 domains thought to running  Whilst the news will be worrying for the 70 million websites currently running WordPress, experts are warning that the ramifications of the latest malware discovery could be more far reaching and could ultimately infect ten times the original estimated number of websites.

Sucuri is actively investigating the potential vector of the malware, and claims that the infections are not targeted specifically targeted at WordPress websites, but it appears that the impact seems to be affecting most hosts across the WordPress hosting spectrum. Daniel Cid, Sucuri’s CTO and founder, told the press that he’s seen the campaign targeting WordPress users running Internet Explorer on Windows and that it is pushing multiple exploit kits to the browser. However, the Russian site the campaign was pulling malware from is currently offline, suggesting that the malware may have caught on faster than its creators expected:

“The good news is that the site was down for many hours yesterday [14th, December] and seems to be overloaded right now,” Cid said, “I guess they infected more sites than what they were expecting.”

The malware works by modifying a file in WordPress, [wp-includes/template-loader.php,] that makes it so a JavaScript file, [wp-includes/js/swobject.js,] can be loaded onto every page on the site. After it has been decoded, it loads malware from the rogue Russian domain. Cid pointed out that any version of WordPress that uses a popular slideshow plugin, “Slider Revolution” [a/k/a RevSlider] is vulnerable to SoakSoak.

The latest discovery comes hot on the heels of Sucuri’s September discovery of another vulnerability in the RevSlider plug in. That vulnerability allowed an attacker to download any file, including database credentials, from the affected site’s server. The problem lies in the plugin’s instability which is often directly linked to the way it is wrapped into theme packages. RevSlider’s automatic update mechanism is usually disabled when it comes as part of a theme, leaving it up to the webmaster to update it accordingly. According to Cid:

“Many users don’t even know they have this plugin because it comes bundled with many themes, explaining why a lot of sites are still not patched,” he said.

As yet Sucuri have been unable to confirm the exact vector which operates in, but Tony Perez, a researcher at Sucuri, told the press that a preliminary analysis showed a correlation between SoakSoak and RevSlider. The major worry for security experts is that it is impossible to work out precisely how many websites have been, or potentially could be affected by this latest malware campaign. All that can be said definitively at the moment is over 70 million sites run on WordPress, and that RevSlider is one of the content management systems most popular plug ins. Figuring out exactly what kind of websites and exactly how many may have been hit by the malware is proving to be far more problematic.

Sucuri is encouraging users to remove RevSlider or update it to the latest version as soon as possible, clean the admin user list from the database to prevent reinfections, and to re-install WordPress to replace the infected files.

If you are concerned about the escalating security challenges and risk management issues facing your business today and would like to take precautions, then why not speak to Krypsys? Krypsys’ services are focused on helping your business assess its security posture against current and evolving security threats and educating you on the risks to which you are exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services. We also work with leading IT security vendors and specialist consultancies to close the gaps in your own IT security strategy and to assist in streamlining and prioritising your risk management spending.

Whether you’re looking for help with penetration testing and security reviews, or are looking for advice on security compliance and web security solutions, Krypsys can help you. For more information on web security solutions, please contact Krypsys on 01273 044072 or [email protected].