If there’s such a thing as “ethical malware,” the software security firm Symantec said it might have identified an example: a piece of code named Linux.Wifatch that has infected “tens of thousands” of routers but appears to work to protect those devices from different types of well-known, more damaging malware.
Wifatch was first described in November in a two-part post on a blog called “Loot Myself: Malware Analysis and Botnet tracking.” It is a “sophisticated piece of code” that connects infected routers to a peer-to-peer network of other infected devices, according to Mario Ballano, a senior security response engineer at Symantec. Unlike other malware, however, Wifatch doesn’t appear to be used for malicious purposes, he said.
Instead, the unusual malware apparently works to prevent further infections and sometimes even delivers a message telling device owners to change their Telnet passwords and/or update their firmware. Another aspect is that the source code contains a line of text famously used as an e-mail signature by software freedom activist and GNU Project founder Richard Stallman.
That text states, “To any NSA and FBI agents reading this: please consider whether defending the U.S. Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.” Edward Snowden was a former government contractor who leaked classified information from the U.S. National Security Agency in 2013.
Like Something Out of a ‘Hollywood Movie’
The Wifatch story “could well work as the script of a Hollywood movie or superhero comic,” Ballano noted in an Oct. 1st post on Symantec’s Security Response Blog.
Routers, along with a growing number of other networked household devices giving rise to the Internet of Things, “are becoming more interesting to cyber crooks” not because of the data they contain but because of their ability to connect to other devices and enable activities like distributed denial-of-service attacks, Ballano said. Such infections are also hard to detect so they can go unnoticed for long periods of time.
When it first learned of Wifatch, Symantec assumed the malware was just another example of such IoT threats. However, “The further we dug into Wifatch’s code the more we had the feeling that there was something unusual about this threat,” Ballano said. “For all intents and purposes, it appeared like the author was trying to secure infected devices instead of using them for malicious activities.”
No Signs of Malicious Behavior
As part of its efforts to track emerging malware threats, Symantec operates a large network of so-called honeypots to collect samples of code from the wild and observe how they work in action. After monitoring Wifatch’s peer-to-peer network for a number of months, however, the company’s security team hasn’t yet seen any signs of malicious activity, Ballano noted.
In addition to preventing other infections on devices, Wifatch also features easily accessed source code and debug messages that “enable easier analysis,” according to Ballano. “It looks like the author wasn’t particularly worried about others being able to inspect the code,” he said.
Of the many devices that Symantec has found to contain Wifatch, 32 percent are in China, while the infection rate in the U.S. is just 5 percent. The vast majority (83 percent) of infections are in routers with ARM architectures; MIPS routers account for 10 percent; while 4 percent affect devices with SH4 architectures.
Resetting an infected router will remove the Wifatch malware, although it’s possible any device could become infected again over time, so users should keep both software and firmware up to date and make sure they are not using default passwords, Ballano noted.
“There is no doubt that Linux.Wifatch is an interesting piece of code,” Ballano said. “Whether the author’s intentions were to use their creation for the good of other IoT users — vigilante style — or whether their intentions were more malicious remains to be seen.”
