BabaYaga is the name of a mythical Slavic supernatural being that looks like a ferocious woman. She can either help you or harm you, be careful which. Now that name has been given to a new kind of malaware. BabaYaga Malware was discovered and reported by Wordfence technical experts.
BabaYaga targets WordPress websites most of the time, but it has also the capability to infect Joomla, Drupal, and even generic PHP based websites. Its malware infection generates spam links and redirects your website to other websites, but remains difficult to detect by its victims.
BabaYaga works like an anti-virus. It can detect and remove other malware that infected your site. While it may sound great and helpful, but it’s like a lion trying to protect a buffalo from another lion’s breakfast preserving him for dinner. In short, BabaYaga can kill other malware. One of its unique features is that it is a self-updating malware which means after it removes other malware it will eventually update on its own, hiding its malicious purpose.
Like an actor playing a role of a bad person trying to be good. It detects and removes other malware for a very simple reason – your site needs to be active without notable issues so it can do its business. When your site is down nobody is on it and no business for BabaYaga.
BabaYaga seems to be nice while it is not. It searches target files and checks if it contains malware then replaces it with a clean version. It will also find your index file and delete it since the index file can give it away in thatBabaYaga is present. It can severely impact your site’s Search Engine Optimisation (SEO). It could also make your site vulnerable to other security threats.
When BabaYaga occupies your site, no other malware can penetrate or remain in there that makes it free to start working its real purpose. It will start generating spam content full of keywords that will easily show up in search engines. If a careless user were to click a link, he will be redirected to an external link, an affiliate link using your site to drive traffic to their syndicated website. If the user has to purchase something from that website, two things could happen; they will get a commission out of the purchase or they capture the payment details and use it to their benefit.
There is one simple way to detect if your site is infected. First, open a Google browser and type site:yourwebsite.com (of course you need to replace it with your own domain) and hit enter or click the search icon. The search results appear and if it looks like this picture, it means your site is infected.
If all the titles and descriptions are exactly the same of what your site contains, your good! See example below.
If you find your site is infected, you can do the following as soon as you can:
If you find your site is infected, you can do the following:
Protection is still better than cure. Protecting your site against malware attack is less expensive than fixing and cleaning it up. You can do the following to keep your WordPress site secure:
There are many other advanced methods to keep your site secure that we offer in our Website Care packages.
Nothing is foolproof. We expect more and more malware with similar features and enhanced functionalities to show up. Competing with each other or combining to hack your site.
Always remember that on the internet, things evolve very quickly. There is no security forever. We just have to protect what we have right now and deal with what will come in the future.
If you want to discuss how to best protect your site, please contact us today.
