Unexpectedly benevolent malware improves security of routers, IoT devices

At this point in time, the existence of a botnet comprising of tens of thousands of compromised routers and other IoT devices is not news. Nevertheless, this latest one mapped by researchers is a special one, as it seems that its herder does not have malicious intentions.

Quite the opposite, in fact. Armed with a piece of code that the researchers dubbed Wifatch, the individual behind this scheme aims to secure the devices against compromise by malware and other bot herders.

Wifatch was first spotted by an independent security researchers in November 2014. The latest analysis by Symantec researchers reveals that it can be found on over tens of thousands devices around the world, with the majority concentrated in China, Brazil, Mexico and India.

“Once a device is infected with the Wifatch, it connects to a peer-to-peer network that is used to distribute threat updates,” the researchers explained. “Wifatchs code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices.”

After several months of monitoring the botnet, there has been no indication that it’s being used for nefarious purposes.

“Wifatch not only tries to prevent further access by killing the legitimate Telnet daemon, it also leaves a message in its place telling device owners to change passwords and update the firmware,” the researchers say.

One of its modules also tries to remove known malware families targeting embedded devices (if it finds one or more of them on the device).

Wifatch is able to infect devices based on different architectures: ARM, MIPS, SH4, Power PC, and so on.

There are several other things that indicate that the Wifatch bot herder is on a mission to keep users safe: he (or she) did not obfuscate Wifatch’s code, has included debug messages in it to enable easier analysis, and has made sure that the backdoors it puts in the devices accept only commands signed by him (or her) so that other attackers can’t hijack the botnet.

Finally, the source code holds one particular quote by software freedom activist Richard Stallman: “To any NSA and FBI agents reading this: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.”

“There is no doubt that Linux.Wifatch is an interesting piece of code,” the researchers note, but point out that it’s still considered malware, as it infects a device without user consent.

“Resetting an infected device will remove the Wifatch malware; however, devices may become infected again over time. If possible, users are advised to keep their devices software and firmware up to date and to change any default passwords that may be in use,” they concluded.