Malware Peddling Vigilantes behind Linux.Wifatch Speak Up


The group of black/white-hat (?) hackers who infected over 10,000 Linux routers with malware to fend off the really bad malware have come forward in speaking to Symantec, the security software company that originally revealed the mysterious malware.

Linux.Wifatch recently made plenty of headlines when security researchers at Symantec uncovered it for what it was – a white-hat malware safeguarding routers, IP cameras and other devices from typical havoc-mongering malware.

After the reveal, a group calling itself “The White Team” recently published the entire source code for Linux.Wifatch on GitLab and all signs point to them being the ‘vigilantes’ behind the malware.

Mario Ballano, the Symantec employee who revealed the malware originally has now updated the original blog post, contending that the author(s) of Linux.Wifatch has reached out with a Q&A to explain their reasons behind their actions.

Writing in a series of FAQs after the public dump of the source code, the White Team said:

Apart from the learning experience, this is a truly altruistic project, and no malicious actions are planned.

The group also add that Linux.Wifatch was never intended to be secretive and added that to be “truly ethical, it needs to have a free license.” However, the developers did not go out of their way to make the Wifatch’s presence known in the wider community, to avoid detection by other malware authors.

The group haven’t revealed their identity and contend that they are “nobody important,” while adding that although they can be trusted not to do “evil things” with users’ devices anybody could steal the key (speaking figuratively), no matter how well the group protects it.

The developers behind Linux.Wifatch also spoke about feeling a pang of guilt for infecting users’ devices but were firm in their opinion that they were doing more good than harm, ultimately.

The amount of saved bandwidth by taking down other scanning malware, the amount energy saved by killing illegal Bitcoin miners, the number of reboots and service interruptions prevented by not overheating these devices, the number of credentials and money not stolen should all outweigh this. We co-opted your devices to help the general public (in a small way).

Furthermore, the developers laid claim to the notion that only those devices that aren’t protected properly in the first place are targeted and then infected, to gain Wifatch’s protection.

Linux.Wifatch doesn’t use elaborate backdoors or 0day exploits to hack devices. It basically just uses telnet and a few other protocols and tries a few really dumb or default passwords (our favourite is “password”). These passwords are well-known – anybody can do that, without having to steal any secret key.

Basically, it only infects devices that are not protected at all in the first place!


Image from Mr.Robot (USA Network).

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.