Google blacklists over 10,000 WordPress sites as SoakSoak malware hits

16 Dec 20142 Shares

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Internet search giant Google has blacklisted more than 11,000 domains after Soaksoak.ru’s latest malware campaign compromised more than 10,000 WordPress sites.

Sucuri.net reported on the malware, and Google’s response, after its analysis showed “impacts in the order of 100’s of thousands of WordPress specific websites.”

Sucuri hasn’t named the exact number of affected sites, however it had originally drawn a correlation to the Slider issue a few months back, which gave hackers the capability download files directly from servers which had downloaded the ‘Slider Revolution Premium WordPress Plugin’.

Since then Sucuri has confirmed the link, claiming that the combination of the threats is also making use of a number of new backdoor payloads, “some are being injected into images to further assist evasion and others are being used to inject new administrator users into the WordPress installs, giving them even more control long term.”

Users are warned that removing the origin files – swfobject.js and template-loader.php – will not cut it and that, as its a premium service that is affected, WordPress are in a fair spot of bother.

“Some website owners don’t even know they have it as it’s been packaged and bundled into their themes. We’re currently remediating thousands of sites and when engaging with our clients many had no idea the plugin was even within their environment.”

If you’re a blogger out there, don’t worry. Gizmodo reports that, despite tens of millions of sites using WordPress to some degree, “this malware attack only affects self-hosted sites that use WordPress, so if you have a personal blog on WordPress.com, you're okay.” Also, Sucuri currently have a cool little tool to help check if your site is infected.

Blacklist icon image, via Shutterstock

Gordon Hunt is senior communications and context executive at NDRC. He previously worked as a journalist with Silicon Republic.

editorial@siliconrepublic.com