A particular type of malware has infected more than 100,000 WordPress specific websites, according to a security firm.
Tony Perez, CEO and Co-Founder of Sucuri, a web protection and malware removal company, notes in a blog post that the malware first came to his attention when Google blacklisted more than 11,000 domains infected with the malware.
The malware works by modifying the file wp-includes/template-loader.php so that it causes wp-includes/js/swobject.js to be downloaded on every page of a target site. That object contains a Java-encoded script malware hxxp://soaksoak.ru/xteas/code, which is loaded from the SoakSoak.ru domain.
Once infected, sites may unexpectedly redirect users to SoakSoak.ru web pages and/or may download malicious files onto users’ computers without their knowledge.
While the malware vector could be used against other types of websites, hosts across the WordPress hosting spectrum have been predominantly affected, Perez notes.
And with one in six (or about 60 million) of the world’s websites being hosted through WordPress, many more websites could ultimately become infected.
The “SoakSoak” malware resembles another WordPress vulnerability discovered earlier this year.
Back in September, researchers found a serious vulnerability in the WordPress Slider Revolution Premium plugin, a popular slider plugin on Evato’s Marketplace – Code Canyon. Using a Local File Intrusion (LFI) attack, hackers were able to download the wp-config.php file (http://victim.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php) and use it to steal the database credentials. This then allowed hackers to attack a WordPress site via the database.
In that instance, the plugin’s developers did not notify customers of the vulnerability and tried to patch it silently. This led to attacks being discovered in the wild. Sites that are located behind Sucuri’s Website Firewall are currently protected from the “SoakSoak” malware.