SoakSoak Malware Attack Reality Check

Sites with a certain slider and even two browsers are being targeted in this attack. I’ve been keeping my ear to the wire on SoakSoak, including the evolution of the attack and what it takes to fix it. Plus, there is a free online scanner to check your site. Plus, I’m debunking the reports on this particular attack as well, to help us all get a reality check on what’s going on.
The Reports
Sucuri first reported that 100s of 1000s of sites had been infected.
The most recent report has been downgraded to over 100,000 WordPress sites infected since the malware attack began on Sunday, the 14th.
Yet, they have not provided the source of how they determined how many sites have been actually attacked.
In fact, one report stated that the folks at Sucuri could not confirm that number either, yet all posts running the story repeat it as if it’s real.
They have also reported that Google has slapped 11,000 sites with malware notices. Again, no source on where they are getting those numbers.
To put these reported numbers into perspective, there are over 70 million sites running WordPress. Even if 100,000 have been infected, it’s a drop in the bucket. Of course, it’s a huge deal to anyone who has an infected site.
It Was a Known Threat
Gizmodo reports SoakSoak as a mysterious Russian malware.
There’s nothing mysterious about it. The developers of the affected plugin have known about it since at least February 2014.
And if you’re wondering why it’s considered a Russian attack, that’s where the servers are located for the redirected pages on compromised sites.
The Problem
The malware code is primarily in the RevSlider plugin.
It loads into a few specific php and js files and runs a JavaScript that loads the malware.
The developers released an initial patch for it back in February, and several more since.
But that didn’t fix all of the sliders, and here’s why.
This particular slider came bundled in some theme packages. The owner has no idea an update is available.
And the developers decided to not publicly tell anybody. There’s a reason for that. More in a moment.
What Sites are at Risk
- If you use the RevSlider and are on WordPress.com, you’re okay. The patches were updated on your site automatically.
- If you use the RevSlider, or don’t know what slider you use, and your site is self-hosted, then it may be at risk.
- If your site pages/posts are being redirected to SoakSoak.ru, then it’s definitely infected.
Free Scanner
Sucuri has provided a free online scanner so you can check your site if you think it has been infected.
The Fix
Sucuri has a Payload Report of exactly what files are being affected and how this attack is evolving.
At the bottom of that report they include the least that must be done to secure the site.
From what I’m hearing, the fix is not quite as simple as applying the patches supplied from the developer, or following just the measures advised by Sucuri.
A trusted developer buddy is saying it is best to completely remove all files associated with the slider and install the most recent version.
Some folks are reporting that they have several sites in one account. Even though the slider is only on one of those sites, the entire account has been infected.
Check Your Browser Too
This malware vulnerability extends beyond the slider. Sucuri reports that at least two browsers are being targeted as well, which are:
- FireFox
- Internet Explorer 11
So be sure you’re running the latest versions on them as well.
Why Most Folks Didn’t Hear About This Until Now
A battle has been happening in the developer and white-hat hacker communities for some time. It’s stuff they talk about with each other and are actually pleased that the general public doesn’t get wind of much of it. (If you did, it would scare you silly about all that really goes on behind the scenes.)
There has been a code of ethics emerging among them about when and how to report security issues.
For more, see the Code of Ethics for Hackers section in the Dec 16 Tips Tuesday post. That’s my weekly roundup of what’s happening online, including with site security.
You can subscribe to it or all blog posts here. It comes as a podcast too.
And, on my G+ page I report it as I hear it. So you don’t have to wait for the weekly update to be in-the-know.
The Real Reality Check
Sucuri reported on this vulnerability months ago, which was still months after the slider developers knew about it and had released patches. So, in that respect, they adhered to the same code of ethics they advocate for such reporting.
But, and this is worth saying, Sucuri is in the business of finding such threats. After all, their big products are security scanners and a security firewall service.
I’m delighted and grateful that the folks at Sucuri find such things, report them, and make so many free scanners available for all to use.
I’m not so keen on them making up numbers to dramatize the threat. And, oh by the way, mentioning that folks who have their paid firewall product are protected from this threat.
Sites are hacked every minute of every day.
New threats come out every minute of every day.
Once in a while one of them is so big that it affects a significant number of sites. This isn’t one of them. But you couldn’t tell that from all the headlines about it.
And yeah, I know some of you are thinking I’m just jumping on the news too. Yep. Name of the game. But I try to report only what I can verify.
What You Really Need to be Scared of
I’ve been telling you since September 2013 what to watch out for to keep your site safe. As much as I can, I give specifics. Sometimes I can’t be more specific because I want to stay in compliance with the reporting ethics of the community. Black-hat hackers read these reports too, you know.
What I can publicize runs about 3 months ahead of the brunt of the attack.
I’m telling you now that a tidal wave of old code hacks is on the way. And it’s not just on your site. It’s going to get personal. I’m working on a post to tell you more.
Watch for it.
Subscribe to my posts so you don’t miss a thing.
