When we usually think of traditional computer viruses, we think of software that is meant to harm machines, turn them into mindless drones that do the bidding of their new master, or exploit the rightful owner’s personal data. However, Symantec recently shed some new light on a virus — first discovered in 2014 — that infects devices not to cause destruction, but to shore up their defenses against true security threats.
Symantec first became aware of Linux.Wifatch back in January, but is just now becoming aware of the full scope of its capabilities. While most traditional malware is designed with ill-intent in mind, Wifatch seemingly infects routers and IoT devices to protect them from truly malicious software. Once Wifatch has infected a router, it sets up a peer-to-peer network to communicate with other infected devices.
Wifatch, which was written in Perl, then uses that same peer-to-peer network to distribute updates to devices, protecting them from potential malware threats. “For all intents and purposes, it appeared like the author was trying to secure infected devices instead of using them for malicious activities,” wrote Symantec’s Mario Ballano, who has been closely tracking Wifatch activity. “Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices.”
“Good Guy” Wifatch even takes things step further by disabling the Telnet daemon, and prompts users not only to change their device password when attempting to access Telnet, but also to update their firmware to prevent further infections from taking place. It should be noted that devices using weak credentials are also initially infected with Wifatch via Telnet.
But despite the seemingly vigilante aspects and good-naturedness of Wifatch, Ballano is quick to point out that it is still a virus, an unauthorized piece of software that is invading devices. “It should also be pointed out that Wifatch contains a number of general-purpose back doors that can be used by the author to carry out potentially malicious actions,” Ballano adds. “However, cryptographic signatures are verified upon the use of the back doors to verify that commands are indeed coming from the malware creator.
“This would reduce the risk of the peer-to-peer network being taken over by others.”
With that being said, tens of thousands of devices are suspected to be infected by Linux.Wifatch, with the majority of those infections — 32 percent — occurring in China. For those wondering, infections in the United States makeup just 5 percent of the global total. In addition, over 80 percent of infected devices feature ARM processors, while MIPS and SH4 make up 10 percent and 7 percent respectively.
Ditching Wifatch is as simple as resetting the infected device back to its factory default state, but Ballano warns that future infections are still likely to occur.