BabaYaga and the Rise of Malware-Destroying Malware

The team working behind Wordfence (a security plugin for WordPress websites) discovered a new type of malware called BabaYaga. It bears the name of a mythical Slavic creature and appears to be created by Russian hackers.

An important feature of BabaYaga is that it is a self-updating malware. More specifically, it accesses a URL on a command-and-control server and downloads the latest version of itself.

BabaYaga can infect WordPress, Joomla, Drupal, and generic PHP websites. The malware publishes spam content on the infected websites. Once a person visits an infected website, she will be redirected to affiliate websites by embedded JavaScript code. It is important to point out that the malware can install and upgrade WordPress to ensure that the affiliate websites are fully functional. In case a user purchases products or services from the affiliate websites, the creators of BabaYaga will get referral commissions.

What makes BabaYaga different from other types of malware is its antivirus functionality. Below, we examine in detail this innovative functionality (see Section 2) and discuss the impact it can have in the field of malware (see Section 3). Finally, we provide concluding remarks (see Section 4).

BabaYaga checks target files for existing malware and, if they contain malware, replaces the infected files with uninfected versions. Furthermore, BabaYaga searches for files named “index.html,” “index.htm,” or “index.asp” containing the text “hacked.” If BabaYaga finds any of these, it will delete them. The reason for deleting such files is that they are usually defacement pages which will reveal the presence of BabaYaga.

The anti-virus functionality of BabaYaga allows the malware to flourish in computer systems that are infected with other viruses. It opens a new paradigm in the field of malware, namely, a shift from (i) malware that aims mainly to proliferate to (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Daniel Dimov. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/fKBTcpLau1A/