Recently, a new type of Malware was discovered infiltrating WordPress, Joomla, and Drupal websites. This new malware goes by the name BabaYaga (a supernatural forest spirit that flies around in a mortal wielding a pestle) and it has been causing a stir in the security community.
The group behind the attack -- believed to be Russian hackers — created the malware in order to generate profit via spamming affiliate links.
The actual malware itself is what is causing a reaction - both in the security and hacking community. BabaYaga destroys other malware in self-interest.
Let's dissect BabaYaga and discover why malware that deletes other malware is more dangerous than you probably think it is.
What is BabaYaga?
BabaYaga is essentially a redirect malware. It takes over a page and spams it with content that will redirect the user to affiliate spam via embedded code. Of course, this is bad in itself, but the malware is far more advanced than that.
The malware has two parts to it. First, it takes over a site, injecting spam content and affiliate links. Then, it creates a backdoor to give the hacker complete control over the infected website.
BabaYaga allows the hacker to manually upload files to the compromised website, as well as gives them access to the file manager and the ability to execute shell commands.
While BabaYaga can infect any PHP driven website, it seems to be heavily focused on WordPress (as evidenced by new versions being released in sequence with WordPress updates). Currently, BabaYaga is able to infect the most updated version of WordPress.
But, what makes BabaYaga so interesting is that it doesn't just take over a website - it protects it.
What Makes BabaYaga so Interesting?
BabaYaga is very good at making sure that its host website doesn't get detected for having malware. The malware will go so far as to update the entire WordPress to make sure that the blog runs smoothly (i.e., increases its SEO rankings).
Because the malware is injecting hidden pages on the host site that are keyword loaded, making sure that the WordPress site is up-to-date is vital for the hacker.
Once the malware has made sure that everything is up and running smooth, it does something very interesting; it runs a virus scan. See, BabaYaga isn't only malware; it's also an antivirus.
BabaYaga will delete all other instances of malware on the infected website. The reasons for this are two-fold. BabaYaga doesn't want poorly-coded competing malware to prevent it from working (or at the very least preventing pages from loading correctly which would affect earning from affiliate spam,) and BabaYaga doesn't want the owner of the infected website to detect any malware.
This sophisticated malware has the ability to root itself as the primary malware on a site - completely taking control out of the owner's hands.
This new malware fighting malware is undoubtedly dangerous, but it also marks a further move towards malware sophistication targeting OSS (in specific WordPress).
Will future malware pick up on BabaYaga's malware fighting prowess? It makes sense; getting rid of the competition is never a bad thing.
How to Know if You've Been Infected
Since BabaYaga takes over web pages and immediately starts spamming hidden pages with keywords, it can be difficult to detect.
Malware scanners may do the trick, and you may even find it manually. As always, WordPress and other OSS are tricky when it comes to security (the obvious pitfall of OSS.) Confirmation of the BabaYaga malware comes just weeks after news surrounding backdoor vulnerabilities in WordPress and vulnerabilities in plugins like JetPack.
The fight against malware that infects WordPress is a never-ending fight. Because of the open source nature and popularity of WordPress, malware will continue to be developed targeting the platform at a rapid pace.
If you are looking for a CMS that is super-secure, affordable and easy-to-use, contact us. QuickSilk is fully customizable, has a drag-and-drop interface, and is one of the most secure CMS platforms on the planet.