Malware analysis

BabaYaga and the Rise of Malware-Destroying Malware

Daniel Dimov
July 4, 2018 by
Daniel Dimov

1. Introduction

The team working behind Wordfence (a security plugin for WordPress websites) discovered a new type of malware called BabaYaga. It bears the name of a mythical Slavic creature and appears to be created by Russian hackers.

An important feature of BabaYaga is that it is a self-updating malware. More specifically, it accesses a URL on a command-and-control server and downloads the latest version of itself.

BabaYaga can infect WordPress, Joomla, Drupal, and generic PHP websites. The malware publishes spam content on the infected websites. Once a person visits an infected website, she will be redirected to affiliate websites by embedded JavaScript code. It is important to point out that the malware can install and upgrade WordPress to ensure that the affiliate websites are fully functional. In case a user purchases products or services from the affiliate websites, the creators of BabaYaga will get referral commissions.

What makes BabaYaga different from other types of malware is its antivirus functionality. Below, we examine in detail this innovative functionality (see Section 2) and discuss the impact it can have in the field of malware (see Section 3). Finally, we provide concluding remarks (see Section 4).

2. Antivirus functionality of BabaYaga

BabaYaga checks target files for existing malware and, if they contain malware, replaces the infected files with uninfected versions. Furthermore, BabaYaga searches for files named "index.html," "index.htm," or "index.asp" containing the text "hacked." If BabaYaga finds any of these, it will delete them. The reason for deleting such files is that they are usually defacement pages which will reveal the presence of BabaYaga.

The anti-virus functionality of BabaYaga allows the malware to flourish in computer systems that are infected with other viruses. It opens a new paradigm in the field of malware, namely, a shift from (i) malware that aims mainly to proliferate to (ii) malware that aims to proliferate and ensure the best environment for its operation.

3. The impact BabaYaga can have in the field of malware

Considering the example of BabaYaga, we can expect the appearance of more malware having anti-virus functionality. In turn, this is likely to lead to competition amongst malware creators which will result in more sophisticated types of malware based on two main components, namely, a proliferation component and an anti-malware component.

While there is nothing new in the operation of the proliferation component, we are likely to witness significant developments in the anti-malware component. For example, the anti-malware component may develop from (i) a component aiming to eliminate other malware too (ii) a component aiming to neutralize and use other malware. To illustrate, while BabaYaga merely eliminates certain malware from the infected computers, a future version of BabaYaga may inject itself in competing for malware and neutralize its impact on the infected system without affecting the propagation capacity of the competing malware. Thus, by spreading itself, the competing malware will spread the new version of BabaYaga. It is worth mentioning that even some biological viruses can affect other viruses. For example, researchers at the University of the Mediterranean discovered a virus named Sputnik that infects another type of virus called Mamavirus.

Computer malware that, similarly to Sputnik, exploits other malware for malicious purposes may be particularly dangerous if it includes artificial intelligence features (especially machine learning) which will allow it to identify competing types of malware and "learns" from their functionalities. Such a type of malware will constantly be adding new functionalities to its malicious arsenal while, at the same time, neutralizing its competitors.

4. Conclusion

This article has clearly indicated that BabaYaga is a new dangerous malware application that lays out the foundation of an entirely new category of malware, i.e., malware-destroying malware. A white paper published by Wordfence succinctly describes the operation of this new type of malware as follows: "BabaYaga is an emerging threat that is more sophisticated than most malware. It deeply infects a site, spreads to other sites, ensures that the infected site is in good working order and will even remove other malware. It even has the ability to update or reinstall WordPress."

To detect whether BabaYaga is installed on a computer, one can initiate two steps. First, she should check whether the computer is contacting one of these hosts: ( and ( Second, she can use the YARA compatible scanning rules provided by Wordfence in its whitepaper on BabaYaga. The whitepaper can be found in the references below. The rules are compatible with the open source antivirus engine Clapman.

By removing BabaYaga from her computer, a user not only eliminates a dangerous malware application but also contributes towards the fight against spam. It is worth reminding that the purpose of BabaYaga is to show spam on infected websites. According to the Journal of Economic Perspectives, spammers get 200,000 million U.S. dollars per year from spam-related activities, and Internet users spend USD 20 billion U.S. dollars per year handling spam messages.


1. Brunton, F., 'Spam: A Shadow History of the Internet', MIT Press, 2013.

2. Calic, A., 'BabaYaga Malware',, 14 June 2018. Available at .

3. Dalziel, H., 'How to Defeat Advanced Malware: New Tools for Protection and Forensics', Syngress, 2014.

4. Haas, B., 'BabaYaga - The Self Healing WordPress Malware', Wordfence, 5th of June 2018. Available at .

5. Holt, T., Bossler, A., Seigfried-Spellar, K., 'Cybercrime and Digital Forensics: An Introduction', Routledge, 2015.

6. Saxe, J., Sanders, H., 'Malware Data Science: Attack Detection and Attribution', No Starch Press, Incorporated. 2018.

7. Sikorski, M., Honig, A., 'Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software', No Starch Press, 2012.

8. Smith, J. 'New malware infects WordPress websites and redirects traffic to pages comprising affiliate links', Indivigital, 11th of June 2018. Available at .

9. Wagner, K., 'All the Spam in the World Makes $200 Million—And Costs Us $20 Billion', Gizmodo, 7th of August 2012. Available at[object%20Object] .

10. Yong, E., 'The virophage – a virus that infects other viruses', ScienceBlogs, 7th of August 2018. Available at .

Become a certified reverse engineer!

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.


Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (, a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master's degree in IP & ICT Law.

Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (, a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.