SoakSoak WordPress Malware Attack

By January 2, 2015Uncategorized

WebOzy
WebOzy – the web services company

The latest malware news making the rounds is Google has blacklisted more than tens of thousands of WordPress sites that were affected by the SoakSoak malware. Most industry experts believe that the scale of this malware’s attack can be enormous – almost ten times the number of sites that are blacklisted currently.

What is SoakSoak Malware?

The SoakSoak malware has already affected over a million WordPress sites, and the number is likely to grow by the minute. While malwares aren’t a new phenomenon to the Internet world, the growing casualty list of this malware has indeed caught a few people in awe. The name SoakSoak comes from the first site the malware redirected its path from soaksoak.ru.

SoakSoak attacks WordPress sites because of a vulnerability that was outlined in its RevSlider plug-in a while ago. While most of the technology world is in shock of the attacks, there are few who have pointed out the vulnerabilities that have led to the attack growing at such unprecedented levels.

Sucuri (a leader on Internet malware defense) has claimed that the RevSlider’s WordPress plug-in was the primary weakness. Why did it go undetected? These plug-ins are often inside the WordPress themes, and most users do not even think of these plugins as something related to the security of their websites.

How Does It Attack?

The SoakSoak malware campaign has targeted WordPress websites that have been using the non-updated Rev slider plug-in running Internet Explorer on Windows. The malware is sending multiple exploit kits to the browser as part of its affecting tactics. The campaign has been pulling malware from a Russian domain. (Note: As of this report, that domain is presently offline.) There is a growing belief among the Internet leaders and monitoring agencies that the scale of the attack was much more than what its creators had even expected.

Once the malware is on the site, it affects the WordPress site by modifying a file wp-includes/template-loader.php, this file is then made to go to the JavaScript file. After the JavaScript has the modified file, the malware downloads it onto every page, loading malware from the parent Russian domain into the site thus infecting the website.

Most sites of WordPress that use older than the 4.1.4 plug-in of the RevSlider are at risk of the SoakSoak malware because technology experts found vulnerability in it. The plug-in had the ability to allow any attacker to download any file that it wants, including the coveted credentials of databases from the servers that were affected.

Sequence of the SoakSoak Attack

The attack happens in the following three steps:

The First Step: Inspection

Before the malware attacks the site, it seems to scan the whole site to look for the files that it could modify. There are specific snippets of the code that that malware searches for during its tests. The first scan looks for the files, where the second wants to use the vulnerabilities to download them.

The Second Step: Take Advantage

If SoakSoak can find the desired file, they attempt to modify the file and uses it to upload a dangerous theme to the affected site.

The Third Step: Take Over

Once they have set the ball rolling, they initiate their acts to take complete control of the site. The process of taking control is done by injecting Filesman backdoor into the website, (a system to allow remote monitoring and control which is very popular.) They then can access the site whenever they want because they have by that time circumvented existing security controls.

How Can You Protect Yourself?

The key to being safe from this infection is thinking clearly and not being reactive. Many suggest that cleaning and deletion of the two files that include the JavaScript one is enough to get rid of the malware. However, this is incorrect. Most people that have used this way to cleaning have found themselves re-infected almost minutes later. While this method is the correct way to remove the infection, it’s leaving behind the entry points to re-attack the site. The best remedy is cleaning those two files and using website firewalls. Proper and real website firewalls will work the best. We currently recommend the Cloudflare CDN, which has these firewall controls, as well as other benefits.

cloudflare CDN

Moving Forward After SoakSoak?

The reason this malware was able to affect WordPress sites is because of the use of out of date plug-ins. Keeping plugins to the current version is highly recommended. This helps prevent such malware attacks, but to also solve other bugs inside the application as well.

The problem of malware and their attacks isn’t new. What’s important is that each malware attack is another reason that the constant update of your WordPress core, theme & plugins is needed.

SoakSoak WordPress Malware Attack
Stephen Gardner

Leave a Reply