The team working behind Wordfence (a security plugin for WordPress websites) discovered a new type of malware called BabaYaga. It bears the name of a mythical Slavic creature and appears to be created by Russian hackers.
An important feature of BabaYaga is that it is a self-updating malware. More specifically, it accesses a URL on a command-and-control server and downloads the latest version of itself.
What makes BabaYaga different from other types of malware is its antivirus functionality. Below, we examine in detail this innovative functionality (see Section 2) and discuss the impact it can have in the field of malware (see Section 3). Finally, we provide concluding remarks (see Section 4).
BabaYaga checks target files for existing malware and, if they contain malware, replaces the infected files with uninfected versions. Furthermore, BabaYaga searches for files named “index.html,” “index.htm,” or “index.asp” containing the text “hacked.” If BabaYaga finds any of these, it will delete them. The reason for deleting such files is that they are usually defacement pages which will reveal the presence of BabaYaga.
The anti-virus functionality of BabaYaga allows the malware to flourish in computer systems that are infected with other viruses. It opens a new paradigm in the field of malware, namely, a shift from (i) malware that aims mainly to proliferate to (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Daniel Dimov. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/fKBTcpLau1A/