Internet of Things vigilante malware strikes tens of thousands of devices - to protect them

Linux.Wifatch: A force for good or evil?

wifatch-headercredsymantec.jpg
Symantec

Researchers are puzzling over the Linux.Wifatch malware -- sophisticated code which appears to help secure IoT devices, and yet also forces infected devices to a peer-to-peer network of infected systems.

On Thursday, Symantec researchers revealed their research into the activity of Wifatch, a peculiar piece of code which does not replicate the usual activities of malware such as bricking systems, conducting surveillance or stealing data.

Linux.Wifatch is, without doubt, malware. First discovered in 2014 by a security researcher who noticed his home router acting oddly, it was found that the infection turned his device into a zombie connected to a peer-to-peer network of infected devices. The malware, written in Perl, targets a number of different architectures and delivers its own static Perl interpreter for each type.

screen-shot-2015-10-02-at-11-31-44.png

The majority of infections appear to take place over Telnet connections through weak credentials and brute-force entry. Symantec estimates that tens of thousands of devices have been infected, with the bulk of infestation in China, Brazil and Mexico.

screen-shot-2015-10-02-at-11-31-34.png

This is where the malware steps away from the norm. Once a device is infected, the Internet of Things (IoT) product -- such as a smart fridge, router, security system or lighting setup -- is connected to a peer-to-peer network. You would think at this stage the device has become a slave within the P2P network and the system could then use the device in DDoS attacks through the delivery of additional malware payloads

However, this does not appear to be the case. Instead, threat updates are issued and hardcoded routines "seem to have been implemented in order to harden compromised devices," according to the researchers.

"The further we dug into Wifatch's code the more we had the feeling that there was something unusual about this threat. For all intents and purposes it appeared like the author was trying to secure infected devices instead of using them for malicious activities," Symantec says.

"We've been monitoring Wifatch's peer-to-peer network for a number of months and have yet to observe any malicious actions being carried out through it."

The malware's author has gone further. Once a device is infected, Wifatch will then try to prevent further access by killing the Telnet daemon background process, leaving a message in its place telling device owners to change their passwords and update firmware.

screen-shot-2015-10-02-at-11-40-27.png

In addition, a Wifatch module launches to try and eradicate any other malware infections present on the compromised IoT device, including well-known malware families which target connected home products for less savory reasons, such as spying and remote control.

Within Symantec's analysis, researchers said:

"Wifatch's code is not obfuscated; it just uses compression and contains minified versions of the source code. It looks like the author wasn't particularly worried about others being able to inspect the code.

The threat has a module that seems to be an exploit for Dahua DVR CCTV systems. The module allows Wifatch to set the configuration of the device to automatically reboot every week. One could speculate that because Wifatch may not be able to properly defend this type of device, instead, its strategy may be to reboot it periodically which would kill running malware and set the device back to a clean state."

must read

Digital transformation: Making it work in the real world

It takes more than shiny new technologies to remake business processes. Here are a few ideas on how to make digital transformation projects work in your organisation.

It is worth noting that the creator of this vigilante malware may have a darker side.

Wifatch does contain a number of back doors which could be used by the author to carry out malicious activities -- however, cryptographic signatures are required to make sure the malware creator is the only one sending commands. The C&C center is hidden through the anonymizing Tor network.

Wifatch is peculiar, and certainly outside of the ordinary. It will be interesting to see whether the malware creator intends to remain a force for good -- or whether Wifatch's activities transform in the name of darker purposes over time.

Read on: Top picks

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All