SoakSoak is the name given to a variety of malware that originates in Russia. This Russian malware has one purpose, to lead website users to malware-infested sites. Because of this, Google has had to put more than 11,000 WordPress sites on their blacklist. WordPress sites were so badly hit because the Russian malware developers know that it is now probably the most popular content management system in the world. WordPress is found in over 70 million websites that are online today. WordPress is a juicy target for this sheer number of websites that cybercriminals can manipulate to get to users.
How SoakSoak Works
Once a website has been infected, SoakSoak first changes WordPress installation files. Changing files in wp-includes/template-loader.php allows the SoakSoak malware to control the website. It loads a swobject.js file on the device being used to view the web page.
After this, a type of malware that is based on Javascript is run on the site. The malware was found to come from the website soaksoak.ru. It is Sucuri, a security company that provides protection for websites, that reported SoakSoak. Sucuri analysts warned that this malware was a really bad one because it had the potential to infect hundreds of thousands of sites. Sucuri provides services including malware removal and preventing blacklist status just like what happened to those 11,000+ websites.
SoakSoak takes users of legitimate websites to other pages on the Web that are full of malware. WordPress sites are most affected, but the malware can also harm websites that use other platforms. Once the users go to these pages, their payloads are downloaded into their systems. SoakSoak probably uses a previously known vulnerability in WordPress sites called RevSlider. It was also Sucuri that reported about this exploitable weakness some months ago. RevSlider is a WordPress plugin that many WordPress themes that are live online are using. A big problem here is that RevSlider cannot be upgraded for free. Most website owners can’t afford to get the plugin upgraded, so the vulnerability remains unchecked and the malware can then easily spread to users. Plus, if a website owner is alerted to the infection and tries to remove it from the website, SoakSoak simply reinstalls and the cycle continues. SoakSoak has a very intricate payload structure, which accounts for most of these failed attempts. Others cannot get rid of it because they do not know how to properly clean their websites. Administrators who cannot afford professional services are therefore bound to keep spreading this malware indefinitely.
Sucuri says that most hosts who handle WordPress sites are going to be affected by SoakSoak. From the analysis provided by the security company on their website https://sucuri.net/, we can see that SoakSoak is going to be a real nuisance for both WordPress administrators and site users. The infection quickly spreads to users and automatically redirects them to the SoakSoak.ru web page that releases the malicious payload into their devices.
There are many ways that SoakSoak is employing to deploy its payloads, according to Daniel Cid of Sucuri. One particularly interesting one is the use of image files. This allows the malware to spread even more quickly and more deeply into systems when it is injected into the images. Other methods are even used that can give administrator privileges to the cybercriminals behind the exploit. With these powers, they can control the website more effectively and maintain control for the long run.
The best effort so far to stop this malware from spreading all over the world to millions of users is the decision of Google. When Google realized the problem with the SoakSoak malware, they reviewed the websites reported and decided to blackball them. This is not a decision that comes lightly or without foresight. Google knows that if they continue to promote these websites, the thousands of websites that are already infected could quickly multiply to in turn infect a potential of millions of users. They had to put these websites on their blacklist to protect the public from SoakSoak. Security analysts agree that this was a good decision by Google. The boycott on infected sites is going to disrupt the SoakSoak cybercriminals’ plans of using the malware to rob hundreds of thousands of people. It also encourages site owners to take the next steps to get their sites cleaned up for real and for good. They will have to shell out the extra effort and dough if they want to ever get back on the search results pages of the Google engine.
To help websites avoid getting blackballed, Sucuri has a site checker that they can use for free to see if they have been infected. This tool looks at the pages of a site and alerts the one checking to delete the infected files. Website administrators should also set up proper firewalls to prevent malware infection in the future.