BabaYaga: Self-Healing Malware

A Folk Tale Comes to Life - and not in a good way!

Recently, a new type of security vulnerability was discovered infecting PHP and MySQL sites. For purposes of this article we’ll focus on sites built with the WordPress content management system. This new malware attack goes by the name Baba Yaga.

Baba Yaga (in Russian folklore it’s a supernatural forest spirit that flies around in a mortar, wielding a pestle, and dwells deep in the forest in a hut described as standing on chicken legs).

The group behind the attack -- believed to be Russian hackers — created the self-updating Baba Yaga program in order to generate profit via spamming affiliate links.

Fairy tales aside, Baba Yaga is causing quite a reaction - both in the security and hacking community - given its ability to destroy other malware in self-interest. WordFence describes Baba Yaga as an infection that can remove other malware, with a wide array of features conducive to persistent infection - by remotely controlling the site.

Let's dissect Baba Yaga and discover why its ability to remove its competition is more dangerous than you probably think it is.

What is Baba Yaga?

Baba Yaga is redirect malware. It takes over a page, generating spam content that will redirect the user to affiliate phishing websites via embedded code. Of course, this is bad in itself, but the program is far more advanced than that.

This self-updating computer worm has two parts to it. First, after gaining access, it takes over the WordPress site injecting spam content and affiliate links. Then, it creates a backdoor to give the hacker complete control over the infected website.

Baba Yaga allows the hacker to manually upload files to the compromised website, as well as gives them access to the file manager and the ability to execute shell commands.

While BabaYaga can infect any PHP driven website, it seems to be heavily focused on WordPress (as evidenced by new versions being released in sequence with WordPress updates). Currently, Baba Yaga is able to infect the most updated version of WordPress.

What Makes Baba Yaga so Interesting?

What makes Baba Yaga so interesting is that it doesn't just take over a website - it protects it. BabaYaga is very good at making sure that its host website doesn't get detected for having malware.

Wordfence recently published a white paper that concisely describes how this new type of malware operates, stating that: “Baba Yaga is an emerging threat that is more sophisticated than most malware. It deeply infects a site, spreads to other sites, ensures that the infected site is in good working order and will even remove other malware. It even has the ability to update or reinstall WordPress.”

Because the program is injecting hidden pages on the host site that are keyword loaded, making sure the WordPress site is up-to-date is vital for the hacker.The computer virus will go so far as to update the entire WordPress site to make sure that the blog runs smoothly (i.e., increases its SEO rankings).

Once the program has made sure that everything is up and running smooth, it does something very interesting; it runs a virus scan to see if the site is infected with other malware. See, Baba Yaga isn't only malware; it's also an antivirus.

Baba Yaga will also remove other malware on the infected website. The reasons for this are two-fold. Baba Yaga doesn't want poorly-coded competing infections to prevent it from working (or at the very least preventing pages from loading correctly which would affect earnings from affiliate spam,) and Baba Yaga doesn't want the owners of the infected WordPress sites to detect any infections.

This sophisticated malware has the ability to root itself as the primary malware on a site - completely taking control out of the owner's hands.

This new malware fighting malware is undoubtedly dangerous, but it also marks a further move towards malware sophistication targeting open source software (in specific WordPress websites).

Will future malware pick up on Baba Yaga's malware fighting prowess? It makes sense; getting rid of the competition is never a bad thing.

How to Know if You've Been Infected

Since Baba Yaga takes over web pages and immediately starts spamming hidden pages with keywords, it can be difficult to detect.

Malware scanners and security software may do the trick, and you may even find it manually. As always, WordPress and other open source projects are tricky when it comes to security (the obvious pitfall of OSS.)

Confirmation of the Baba Yaga malware comes just weeks after news surrounding backdoor vulnerabilities in WordPress and vulnerabilities in plugins like WordPress' own JetPack plugin.

Closing Notes

The fight against malware, viruses and worms that infect WordPress websites is a never-ending fight. Because of the open source nature and popularity of WordPress, malware will continue to be developed targeting the platform at a rapid pace. Baba Yaga is a new and dangerous malware application that lays the foundation for an entirely new category of malware; self-updating malware that destroys competing malware.

Although she is mostly portrayed as a ferocious old crone, Baba Yaga (forever a shapeshifter ) can also play the role of helper and wise woman. The Earth Mother, like all forces of nature, though often wild and untamed, can also be kind. In her guise as wise hag, she sometimes gives advice and magical gifts to heroes and the pure of heart. It’s said the hero or heroine of the story enters Baba Yaga’s domain searching for wisdom, knowledge and truth.

Baba Yaga is said to be all-knowing, all seeing and all-revealing to those who dare to inquire. Knowing this one has to ask - is Baba Yaga trying to help those using open source software better understand the risks and vulnerabilities that are inherent with open source?

Related posts

  • Aug 16, 2017, 12:00 AM

    Easy. QuickSilk offers a simple, and more affordable, secure web content management (WCM) platform.  Continue reading to learn more.