By

Our take on the “soaksoak” (revslider) infection

Ethical reportingHere’s our review of the recent revslider plugin exploit – or as some call it, “soaksoak” (ouch).

On November 22, 2014 while removing malware from a number of sites, we noticed a large number of them had backdoor shells buried in the revslider folder. After the first 100+ sites, we noticed the pattern.

A little Google searching found this site: http://whatisgon.wordpress.com/2014/11/30/another-revslider-vulnerability/

Our first notification was to hosting providers we work with. We told them what to search for so they could alert their customers. The problem was that we did not report it to the right people. That was our mistake.

The first sites did not have any code injected into the swfobject.js or collect.js files, or the .html or .php files. The sites simply had numerous backdoor shells spread throughout the wp-includes, wp-admin and wp-content folders. It appears as if the hackers were looking for the deepest level folders they could find.

Some online searching showed very few infected sites. 1,100 sites. We did reach out to those website owners to let them know – not to try and drum up business but to be responsible. And discrete.

Many of the forums are reporting links to 122.155... but we’re also seeing links to other IP addresses as well. The injected malscript can be in just the swfobject.js files or all .js files, all .html and selected .php files.

Some of the sites have code injected into the collect.js file which apparently is the same code that the malicious links point to. This leads us to believe that the hackers could use these infected sites in their future malicious links and most recently we see the infectious code using the local sites URL pointing to the infected collect.js file.

You’ll find the malicious code in the template-loader.php file located in wp-includes folder. This should be replaced with a copy of the original file downloaded directly from the WordPress site.

We choose not to alert all the script kiddies
I know what you’re thinking, if we knew about this back in November, why didn’t we blog about it?

Our searches showed a growing number of sites being infected. As of December 17, 2014, we saw 307,000 sites still infected with this – and they have all been verified by us as well.

We did not want to be the one to let every script-kiddie know so they could go out searching for these sites and take advantage of the backdoor shell on all these sites. We’ve been contacting these site owners to let them know and we feel that is the responsible thing to do.

I’m not saying that this was reported wrong. I’m just saying we made the decision to not report it to the masses.

Maybe a missed opportunity. It’s not the first time and it won’t be the last.

By

Website malware hijacks 500,000 computers

Proofpoint security researcher Wayne Huang has released a report detailing the inner workings of a cybercrime group that reportedly had control of about 500,000 devices.

The entire scheme begins with the cybercrime group buying stolen passwords from others. What passwords did they seek?

Website passwords!

They would upload a backdoor shell, which still allowed the website to function normally, but as the website owner would draw more visitors to the site, the cybercriminals would inject their code into the website’s files and infect the devices (computers, tablets, smartphones…) of those visitors. Website malware was used to infect the visitor’s devices.

The infected devices would be used as usual, but the cybercriminals would be receiving any banking login information and other logins – which was their original plan.

As an additional bonus, the cybercriminals would also rent access to these infected (now controlled by the cybercriminals) devices for other underground criminals to use as they wish.

Since most of us have anti-virus programs on all our devices, how did they get so many devices infected?

This group of hackers (cybercriminals if you prefer), used a service that checks their malicious code against all the anti-virus programs available. If the service found any that detected the malicious code, the hackers would use a variety of techniques to change the malicious code enough to “fly under the radar”.

Their website malware would only attempt to infect the devices of “regular” looking visitors. They had lists of IP addresses for various security companies and sites and their malicious website code would only be displayed for IP addresses not in their list.

Proofpoint-attack-chain_1_.0

This graphic is from the Proofpoint research.

Notice where it all starts on the far left – infected websites.

Still don’t think hackers want your website?

Guess again.

This research shows how important your website, or if you’re a website developer or webmaster, how important all the websites you work on, are to the cybercriminals. They need your websites. They want your websites.

The security researcher Huang was able to find the address of the cybercriminals control panel. Believe it or not, they had left it unprotected – no password required. Once in he was able to grab more information and presented it in his research paper.

Huang contacted some of the website owners when he found out who had the website malware on their sites. Many of them checked their sites with some of the online scanners and the reports came back clean. This was due to the work with the IP address list the hackers had built-in to their malicious website code.

Please understand that cybercriminals are not all going after the Targets, Home Depots and banks. Quite often they need your website to start their money making schemes.

If you have any questions about this or website malware in general, please either contact me at traef@wewatchyourwebsite.com or post a comment.

Thank you for reading.