HackDig : Dig high-quality web security articles for hacker

Google Blacklists WordPress Sites Peddling SoakSoak Malware

2014-12-16 01:35

Google blacklisted more than 10,000 different websites over the weekend that it spotted doling out SoakSoak malware, but experts claim the number of impacted sites may ultimately be ten times that figure.

Up to 100,000 sites hosted on WordPress may be vulnerable to a campaign known as SoakSoak, according to web security firm Sucuri, which warned about the malware in a blog post yesterday.

Daniel Cid, Sucuri’s CTO and founder, told Threatpost Monday morning that he’s seen the campaign targeting WordPress users running Internet Explorer on Windows and that it’s pushing multiple exploit kits to the browser.

The site the campaign was pulling malware from – a Russian domain – is currently offline, suggesting that the malware may have caught on faster than its creators expected.

“The good news is that the site was down for many hours yesterday and seems to be overloaded right now,” Cid said, “I guess they infected more sites than what they were expecting.”

The malware is modifying a file in WordPress, wp-includes/template-loader.php, that makes it so a JavaScript file, wp-includes/js/swobject.js, can be loaded onto every page on the site. After its decoded, it loads malware from the aforementioned Russian domain.

Cid points out that any version of WordPress that uses a popular slideshow plugin, “Slider Revolution” a/k/a RevSlider, is vulnerable to SoakSoak.

Any version of WordPress that uses a popular slideshow plugin, “Slider Revolution” a/k/a RevSlider, is vulnerable to SoakSoak.

In September, a vulnerability in the plugin was discovered that could allow an attacker to download any file, including database credentials, from the affected site’s server. The plugin’s instability is often directly linked to the way its is wrapped into theme packages. RevSlider’s automatic update mechanism is usually disabled when it comes as part of a theme, leaving it up to the webmaster to update it accordingly.

“Many users don’t even know they have this plugin because it comes bundled with many themes, explaining why a lot of sites are still not patched,” Cid said.

Tony Perez, another researcher with the firm, couldn’t confirm the exact vector yesterday in a write-up of the malware but did state that a preliminary analysis showed a correlation between SoakSoak and RevSlider.

There are more than 70 million sites that run on WordPress and RevSlider is one of the content management system’s most popular plugins so it’s difficult to know exactly how many and what kind of sites may have been hit by the malware.

It does appears that Dulfy.net, a site that provides guides for popular MMORP games like Guild Wars 2 and Star Wars: The Old Republic was one site that was infected by the malware over the weekend.

“We have identified and removed the hacked files. The site should be okay now,” a Dulgy spokeperson said on Reddit Monday however.

A Google Safe Browsing diagnostic page claims the site is fine now but was cited for suspicious activity in the past. In this case, as of yesterday “667 pages resulted in malicious software being downloaded and installed without user consent.”

Cid is encouraging users to remove revslider or update it to the latest version as soon as possible, clean the admin user list from the database to prevent reinfections, and to re-install WordPress to replace the infected files.


Source: 488901/erawlam-kaoskaos-gnilddep-setis-sserpdrow-stsilkcalb-elgoog/moc.tsoptaerht

Read:2500 | Comments:0 | Tags:Uncategorized google malware SoakSoak wordpress WordPress Vu

“Google Blacklists WordPress Sites Peddling SoakSoak Malware”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud