Mysterious Russian Malware Is Infecting 100,000+ Wordpress Sites
December 15, 2014
A Russian malware called SoakSoak has infected over 100,000 Wordpress
sites since this Sunday, turning blogs into attack platforms. It's a
potential ####show, and it could've been prevented earlier this fall.
Google has already blocked 11,000 domains to try to curb the damage.
According to security firm Sucuri, the malware uses a vulnerability in a
slideshow plug-in called Slider Revolution. The Slider Revolution team
has known about the vulnerability since September, but it looks like
they failed to fix it before the security hole got crammed with steaming
hot malware.
Researchers at Sucuri are warning that it'll be hard to completely
eradicate the malware as long as so many site owners don't know it's
there. In addition to removing the malicious code, they will need to
update the premium plug-in. If the plug-in came as part of a theme, it
won't update automatically, which means site admins will have to
manually update.
Gaming site Dulfy was one of first infected domains to fix the problem
by removing code and going behind a firewall, but it may persist on
blogs with less diligent administrators indefinitely. And Dulfy's admin
isn't sure the fix is permanent. "The firewall will be a temporary
measure until we can figure out what is doing it," site owner Kristina
Hunter told me.
http://gizmodo.com/mysterious-russian-malware-is-infecting-over-100-000-wo-1671
419522
See also:
http://blog.sucuri.net/2014/12/soaksoak-malware-compromises-100000-wordpress-we
bsites.html
===============
The impact seems to be affecting most hosts across the WordPress hosting
spectrum. Quick breakdown of the decoding process is available via our
PHP Decoder.
SoakSoak Malware Anatomy
It is modifying the file wp-includes/template-loader.php and including
this content:
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|