Internet of Things vigilante malware strikes tens of thousands of devices - to protect them

Linux.Wifatch: A force for good or evil?
Written by Charlie Osborne, Contributing Writer

Researchers are puzzling over the Linux.Wifatch malware -- sophisticated code which appears to help secure IoT devices, and yet also forces infected devices to a peer-to-peer network of infected systems.

On Thursday, Symantec researchers revealed their research into the activity of Wifatch, a peculiar piece of code which does not replicate the usual activities of malware such as bricking systems, conducting surveillance or stealing data.

Linux.Wifatch is, without doubt, malware. First discovered in 2014 by a security researcher who noticed his home router acting oddly, it was found that the infection turned his device into a zombie connected to a peer-to-peer network of infected devices. The malware, written in Perl, targets a number of different architectures and delivers its own static Perl interpreter for each type.


The majority of infections appear to take place over Telnet connections through weak credentials and brute-force entry. Symantec estimates that tens of thousands of devices have been infected, with the bulk of infestation in China, Brazil and Mexico.


This is where the malware steps away from the norm. Once a device is infected, the Internet of Things (IoT) product -- such as a smart fridge, router, security system or lighting setup -- is connected to a peer-to-peer network. You would think at this stage the device has become a slave within the P2P network and the system could then use the device in DDoS attacks through the delivery of additional malware payloads

However, this does not appear to be the case. Instead, threat updates are issued and hardcoded routines "seem to have been implemented in order to harden compromised devices," according to the researchers.

"The further we dug into Wifatch's code the more we had the feeling that there was something unusual about this threat. For all intents and purposes it appeared like the author was trying to secure infected devices instead of using them for malicious activities," Symantec says.

"We've been monitoring Wifatch's peer-to-peer network for a number of months and have yet to observe any malicious actions being carried out through it."

The malware's author has gone further. Once a device is infected, Wifatch will then try to prevent further access by killing the Telnet daemon background process, leaving a message in its place telling device owners to change their passwords and update firmware.


In addition, a Wifatch module launches to try and eradicate any other malware infections present on the compromised IoT device, including well-known malware families which target connected home products for less savory reasons, such as spying and remote control.

Within Symantec's analysis, researchers said:

"Wifatch's code is not obfuscated; it just uses compression and contains minified versions of the source code. It looks like the author wasn't particularly worried about others being able to inspect the code.

The threat has a module that seems to be an exploit for Dahua DVR CCTV systems. The module allows Wifatch to set the configuration of the device to automatically reboot every week. One could speculate that because Wifatch may not be able to properly defend this type of device, instead, its strategy may be to reboot it periodically which would kill running malware and set the device back to a clean state."

It is worth noting that the creator of this vigilante malware may have a darker side.

Wifatch does contain a number of back doors which could be used by the author to carry out malicious activities -- however, cryptographic signatures are required to make sure the malware creator is the only one sending commands. The C&C center is hidden through the anonymizing Tor network.

Wifatch is peculiar, and certainly outside of the ordinary. It will be interesting to see whether the malware creator intends to remain a force for good -- or whether Wifatch's activities transform in the name of darker purposes over time.

10 steps to erase your digital footprint

Read on: Top picks

Editorial standards