SoakSoak Malware Compromises 100,000+ WordPress Websites

News of a malware campaign against WordPress has been doing the rounds since owners and webmaster of wordpress blogs found out about websites getting blacklisted by Google. Around 11,000 domains had been blocked due to the latest malware campaign which has now swelled to 100,000. This campaign  has been brought by SoakSoak.ru, thus being dubbed the ‘SoakSoak Malware’ epidemic.

The malware

Once your website has been infected by the malware, you may experience irregular website behavior including unexpected redirects to SoakSoak.ru web pages. You may also end up downloading malicious files onto your computer systems automatically without any knowledge. The attack vector for the malware is not yet known, as is the reason of this campaign.  This campaign has resulted in a loss both revenue and reputation for the WordPress blog owners who are blacklisted by Google.

SoakSoak malware modifies the file located at wp-includes/template-loader.php which causes wp-includes/js/swobject.js to be loaded on every page view on the website and this “swobject.js” file includes a malicious java encoded script malware.

Security Net

The security team which has been investigating the campaign –  Sucuri –  says that this campaign does not appear to be specifically targeted towards WordPress,  the victims seem to be blogs relying on its frame work.  So the fact that most of its victims are WordPress websites, may just be a coincidence.

If you run any website and are worried about the potential risk of the infection to your website, Sucuri has provided a free SiteCheck tool here scanner that will check your website for the malware. The exact method of intrusion has not been pointed out at this time, but numerous signals led to believe us all that many WordPress users could have fallen victim to this attack. However, if you have enabled a Firewall,  CloudProxy or CDN service, you are protected from the SoakSoak malware campaign.