A new malware allegedly created by Russian programmers is generating spam content comprised of affiliate links on infected WordPress sites, according to a report by WordPress security firm WordFence.
The malware, BabyYaga creates thin or purposeless content on the host’s website solely for the purpose of attracting search engine traffic.
Interestingly, the malware also contains an anti-malware function that helps identify and remove competing malware.
This has been included in the malware to ensure the infected WordPress installation doesn’t break (the malware executes during page load and thus requires WordPress to be functional for it to operate).
Furthermore, if a WordPress website malfunctions as a consequence of a less elegant attack, it will likely spur the administrator into investigating the problem and thus increase the probability Baby Yaga will be detected.
To maximize its effectiveness, the malware is replicated across multiple WordPress files. This ensures that if one file is detected other files may remain and prolong the infection.
Moreover, the files contain a “backdoor function” that reinfects as long as a single file from the malware is present.
Other features of the malware include:
Infected installations will host a file upload tool that allows an attacker to upload files; and
What WordFence refers to as a “phone home” feature that allows the malware to update itself.
A more comprehensive and technical overview of the malware can be read here.
If you were infected and want to avoid this from happening again in the future, check out our Managed WordPress Hosting plans.