14 DAY TRIAL // Malware delivered from Russian website soaksoak.ru has affected more than 100,000 WordPress websites, although this platform is not the only one impacted, security researchers say.
Tony Perez, co-founder and CEO of Sucuri, a firm offering website integrity protection solutions, took a look at the malware on a compromised website running WordPress and determined that the malware modified the “wp-includes/template-loader.php” file, adding malicious code that infiltrates a malicious JavaScript on every page viewed on the site.
The next step of the infection consists in loading a JavaScript malware from SoakSoak.ru.
Slider Revolutions plug-in is suspected
Over the weekend, Google initiated a massive blacklist action that targeted more than 11,000 domain names in connection to the SoakSoak malware.
There is no information about the attack vector, but judging by present information, Perez believes that the compromise is possible through a vulnerability in the Slider Revolution Premium plug-in (a slide displaying solution) that has already been fixed.
However, the patch was silent, so many users may still have the vulnerable version of the component installed on their websites.
Users who purchased the plug-in straight from the developer received the updated version that plugged the vulnerability automatically, but others had to install it manually because the component came bundled in theme packages and their developer failed to run an update for Slider Revolution.
ThemePunch, makers of Slider Revolution, did not inform their customers of the availability of the new version, or the danger of running the unpatched version, which led to a flurry of websites being compromised in September, their number going beyond 1,000.
Google blacklisted SoakSoak.ru
Administrators can check if their websites have been compromised using a free scanner from Sucuri, which has been updated with the signatures for the aforementioned threat.
Access to SoakSoak.ru is currently blocked by Google, the Chrome browser showing the red warning page for malware. The diagnostic page for the website is also blacklisted, as a result of Google having found malicious software hosted there.
The last time suspicious content was present on one of the SoakSoak pages was on Sunday, December 14.
Signs of compromise include strange website behavior, such as redirecting to the malicious website, or file downloads initiated without the visitor’s consent.
Even if Slider Revolution is not at the root of this infection epidemic, administrators are advised to check if they have the latest version of the component running on their website.
