SoakSoak: over 100,000 Wordpress sites hit by mysterious Russian malware

Experts fear the problem might be too big to contain

Wordpress, the world’s most popular blogging platform, is vulnerable to a piece of mysterious Russian malware called ‘SoakSoak’ that could already have infected 100,000 pages, experts have said.

Google has already blacklisted over 11,000 sites that are infected with the malware, in the hope of stopping it from spreading.

The attack has been launched by soaksoak.ru, giving the malware its name. The internet security firm Sucuri, which first spotted the problem, has said that it could have compromised over 100,000 sites.

The problem appears to begin with a plugin called RevSlider which Sucuri said months ago could have vulnerability. The plugin is a premium piece of software meaning that it will be hard for many users to upgrade to get rid of the problem, Sucuri said.

“Some website owners don’t even know they have it as it’s been packaged and bundled into their themes,” Daniel Cid from Sucuri wrote in a blog yesterday.

And even if the problem is fixed, hackers appear to be installing new software onto websites that could give them control of the pages in the longer term.

If a site is infected with the problem, it might mean that it acts oddly — though it may not immediately present itself to users at all.

Sucuri, which discovered the problem, runs a free site checker which will scan any webpage to see if it has been infected with the SoakSoak malware as well as other malware and problems.

If the page does show issues, Sucuri recommends the deletion of two files — swfobject.js and template-loader.php — which will get rid of the initial infection, but will still leave the website vulnerable and likely to be infected quickly.

The best way to ensure that a page is protected is to use a website firewall, such as those offered by Sucuri themselves as well as other internet security firms.

Comments