More than 100,000 websites with WordPress platform has been infected with malware that exploits vulnerability in the popular WordPress plug-in RevSlider. The attack was to change the infected WordPress site into a distributor that will spread malware, but this time devoted to site visitors.

The malware was called SoakSoak because it causing some infected sites will direct their visitors to a malicious website in soaksoak.ru. According to security firm called Sucuri based in Menifee, California. In order to curb the spread of the infection, Google has a list of black list for more than 11,000 infected WordPress websites.

SoakSoak works by scanning websites that use WordPress, they look for websites that are still using the old version of the plugin RevSlider. Previous editions of this RevSlider have known vulnerabilities that can make them vulnerable to attack local File Inclusion, in which an attacker can remotely change the contents of the file. The attackers change the swfobject.js file found on the WordPress site by adding malicious code that causes the site visitors redirected to soaksoak.ru.

RevSlider is a premium WordPress plugin which is sometimes combined with other WordPress theme, some websites and blogs operators may not realize they have it, while others may not want to spend more money to update it. That are the two factors that cause SoakSoak has spread so rapidly and infect many WordPress sites.

Sucuri has a free tool that can be installed by the site administrator, and can be used to check out their site if detected by SoakSoak and other malware.

Cleaning infected WordPress site can be done, but it is quite complicated. Administrators must first replace the swfobject.js on their site and template-loader.php files with versions without malicious code. To protect yourself from being infected again, users also have to pay for the update, or delete RevSlider, then build a firewall for the site.

In their blog post Securi put a reminder “Some users clear the infection and after minutes reinfected, is due to the complex nature of the site itself and cleanup efforts were not properly done”.

Are you using WordPress for your website?