Community news and analysis: December 2014

Posted on January 16, 2015 - 14:12 by ccondon

Here's a quick (late) roundup of security community happenings from last month. Naturally, the SoakSoak malware campaign has been foremost on our minds, but December brought a number of other announcements and some neat malware analysis from our partners, too.

Security news

  • Google released code for End-to-End Chrome extension to open source (GitHub repository). As of last month, the extension, which enables end-to-end encryption for Gmail within Chrome, was not yet ready for the Chrome Web Store.
  • Qualys on December Patch Tuesday


  • ESET and Sophos on Win32/VirLock, a parasitic, polymorphic hybrid strain of ransomware
  • Sucuri on the massive SoakSoak malware campaign, the RevSlider vulnerability that led to it, and infection evolution
  • Automattic on scanning for SoakSoak and how to begin fixing a compromised site
  • Fortinet: Analysis of a JAR obfuscated malware packer

Akeemdom malware poses as ad network

Posted on January 13, 2015 - 15:45 by ccondon

A PSA from Blake, our testing intern:

For the past two weeks, we have seen a large number of WordPress sites infected with a malicious script located at http://ads[.]akeemdom[.]com/db26 (Google Safe Browsing diagnostics). This infection is related to the SoakSoak campaign; in this case, the malware disguises itself as an ad network. Although the exploit itself has never delivered content to our testers, we have noticed its signatures. The following code snippet is typically inserted at the end of JavaScript files located in the infected site’s /wp-includes/ directory:

It’s often found in multiple scripts; be sure to check all the JavaScript files your site uses. Sucuri has additional analysis here