Linux.Wifatch: Vigilante Hacker Infects Routers with Malware to Fight Bad Malware
A newly discovered malware, called Linux.Wifatch by security firm Symantec, has been found to compromise at least 10,000 Linux-routers. Unlike other malware, however, Wifatch protects the router from other infections, protecting victims instead.
Security giant Symantec has discovered a new vigilante malware that behaves like most other malware by infecting a vulnerable device, remaining undetected while operating and actively updating itself over a peer-to-peer (P2P) network.
The malware dubbed Linux.Wifatch comes with a strikingly different set of capabilities. Instead of harming the compromised router and the computers on its network, Wifatch secures it by safeguarding it from other malware.
Quite simply, Wifatch is protecting over 10,000 routers running Linux by infecting them.
The complete report detailing the discovery of Wifatch by Symantec can be found here.
Linux.Wifatch was first discovered last year by an independent researcher. The malware now infects more than 10,000 routers predominantly in China and Brazil. Over time, Wifatch has been found to stay updated in its virus definitions through its P2P network, block other channels typically used by malware to infect routers and even delete the traces of malware that do get through.
Wifatch even has a module that is constantly updated and exists to remove “well-known families of malware targeting embedded devices.”
Mario Ballano, a Symantec researcher who wrote about the findings, points to the likelihood of a mysterious vigilante hacker being the brains behind Wifatch due to comments left in the code. Specifically, the comments include an email signature used by Richard Stallman, an advocate of free software that says:
To any NSA and FBI agents reading my email: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.
While internet vigilantes are usually loud and boisterous in their aggressive way of operating through means such as DDoS attacks or breaches involving corporate databases, Wifatch appears far more subtle in the way it works. Ballano added:
For all intents and purposes it appeared like the author was trying to secure infected devices instead of using them for malicious activities.
Additionally, Wifatch even reminds users to update the router’s firmware when there is an action triggered to access the Telnet feature, the port that controls functions on the device and routinely used other malware to infect the router.
Symantec notes that resetting the router to its default setting will remove the Wifatch malware during reboot. However, the same device may be infected by Wifatch again over time. The security firm is advising users to update the router’s software and keep its firmware up to date.
“There is no doubt that Linux.Wifatch is an interesting piece of code. Whether the author’s intentions were to use their creation for the good of other IoT users—vigilante style—or whether their intentions were more malicious remains to be seen,” notes Ballano.
What we do know is that it pays to be suspicious and, with this in mind, Symantec will be keeping a close eye on Linux.Wifatch and the activities of its mysterious creator.