Mysterious Russian Malware is Infecting Over 100,000 Wordpress Sites

By Kate Knibbs on at

A Russian malware called SoakSoak has infected over 100,000 Wordpress sites since Sunday, turning blogs into attack platforms. It's a potential shitshow, and it could've been prevented earlier this Autumn.

Google has already blocked 11,000 domains to try to curb the damage. According to security firm Sucuri, the malware uses a vulnerability in a slideshow plug-in called Slider Revolution. The Slider Revolution team has known about the vulnerability since September, but it looks like they failed to fix it before the security hole got crammed with steaming hot malware.

Researchers at Sucuri are warning that it'll be hard to completely eradicate the malware as long as so many site owners don't know it's there. In addition to removing the malicious code, they will need to update the premium plug-in. If the plug-in came as part of a theme, it won't update automatically, which means site admins will have to manually update.

Gaming site Dulfy was one of first infected domains to fix the problem by removing code and going behind a firewall, but it may persist on blogs with less diligent administrators indefinitely. And Dulfy's admin isn't sure the fix is permanent. "The firewall will be a temporary measure until we can figure out what is doing it," site owner Kristina Hunter told me.

Over 70 million sites use Wordpress as a content management system, from personal blogs to Time.com. This malware attack only affects self-hosted sites that use Wordpress, so if you have a personal blog on Wordpress.com, you're okay.

Of course, if you run a personal blog on Wordpress.com but you ever visit sites with the malware, you're a lot less okay. This is bad news for anyone who uses the internet. Wordpress sites are incredibly common and Google has only caught a small percentage of the infected sites. It's not clear whether the malware distributors are aiming to steal data or do something else nefarious, but unless this is the first recorded malware attack that's secretly an altruistic mission to infect devices with witty e-cards and free software, it's highly likely that SoakSoak sucks.

There is no reason this kind of attack should go down when the RevSlide team knew about their weak spot in advance. This is yet another stark reminder that ignoring vulnerabilities is an act of hubris that should not be tolerated. Fix your damn vulnerabilities.

I've contacted Wordpress to see if the service is taking any steps to remove the malware, and I'll update if I hear back.[Sucuri via Ars Technica]