Avenger Protector Linux.Wifatch Virus Hacks Your Router, Fends Off Malware Strikes

by Brandon Hill — Sunday, October 04, 2015, 01:49 PM EDT

When we usually think of traditional computer viruses, we think of software that is meant to harm machines, turn them into mindless drones that do the bidding of their new master, or exploit the rightful owner’s personal data. However, Symantec recently shed some new light on a virus — first discovered in 2014 — that infects devices not to cause destruction, but to shore up their defenses against true security threats.

Symantec first became aware of Linux.Wifatch back in January, but is just now becoming aware of the full scope of its capabilities. While most traditional malware is designed with ill-intent in mind, Wifatch seemingly infects routers and IoT devices to protect them from truly malicious software. Once Wifatch has infected a router, it sets up a peer-to-peer network to communicate with other infected devices.

Wifatch, which was written in Perl, then uses that same peer-to-peer network to distribute updates to devices, protecting them from potential malware threats. “For all intents and purposes, it appeared like the author was trying to secure infected devices instead of using them for malicious activities,” wrote Symantec’s Mario Ballano, who has been closely tracking Wifatch activity. “Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices.”

“Good Guy” Wifatch even takes things step further by disabling the Telnet daemon, and prompts users not only to change their device password when attempting to access Telnet, but also to update their firmware to prevent further infections from taking place. It should be noted that devices using weak credentials are also initially infected with Wifatch via Telnet.

But despite the seemingly vigilante aspects and good-naturedness of Wifatch, Ballano is quick to point out that it is still a virus, an unauthorized piece of software that is invading devices. “It should also be pointed out that Wifatch contains a number of general-purpose back doors that can be used by the author to carry out potentially malicious actions,” Ballano adds. “However, cryptographic signatures are verified upon the use of the back doors to verify that commands are indeed coming from the malware creator.

“This would reduce the risk of the peer-to-peer network being taken over by others.”

With that being said, tens of thousands of devices are suspected to be infected by Linux.Wifatch, with the majority of those infections — 32 percent — occurring in China. For those wondering, infections in the United States makeup just 5 percent of the global total. In addition, over 80 percent of infected devices feature ARM processors, while MIPS and SH4 make up 10 percent and 7 percent respectively.

Ditching Wifatch is as simple as resetting the infected device back to its factory default state, but Ballano warns that future infections are still likely to occur.

Tags: Malware, Symantec, linux.wifatch, wifatch

Brandon Hill

Brandon received his first PC, an IBM Aptiva 310, in 1994 and hasn’t looked back since. He cut his teeth on computer building/repair working at a mom and pop computer shop as a plucky teen in the mid 90s and went on to join AnandTech as the Senior News Editor in 1999. Brandon would later help to form DailyTech where he served as Editor-in-Chief from 2008 until 2014. Brandon is a tech geek at heart, and family members always know where to turn when they need free tech support. When he isn’t writing about the tech hardware or studying up on the latest in mobile gadgets, you’ll find him browsing forums that cater to his long-running passion: automobiles.

Opinions and content posted by HotHardware contributors are their own.

Which New GPU Is For You?

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now