Security Experts:

Developers of Mysterious Wifatch Malware Come Forward

The group responsible for the development of the "vigilante malware" known as Wifatch has published the project’s source code.

Last week at the Virus Bulletin conference in Prague, Symantec researcher Mario Ballano detailed a mysterious piece of malware that infected tens of thousands of routers, IP cameras and other devices apparently with the purpose of protecting them.

Linux.Wifatch, which has been around since at least November 2014, uses Telnet and other protocols to hack into devices on which owners either set a weak password or left the default password unchanged. Once it infects a device, Wifatch scans it for known malware and disables Telnet to keep others out.

While a threat like Wifatch can be used for a wide range of malicious activities, including distributed denial-of-service (DDoS) attacks and DNS poisoning, the fact that it wasn’t used for anything malicious has led experts to believe that its operators are “IoT vigilantes” whose goal is to secure vulnerable devices.

This appears to be the case as a group calling itself “The White Team” has published the source code for Linux.Wifatch. Ballano has confirmed for SecurityWeek that the source code is genuine. The researcher says the developers of Wifatch contacted Symantec to let the company know about their intention to publish the source files.

The developers of Wifatch claim to have created the malware to learn, to understand, for fun, and for users’ security.

“Apart from the learning experience, this is a truly altruistic project, and no malicious actions are planned (and it nice touch that Symantec watch over this),” they wrote next to the source code files.

The developers claim the project was never meant to be a secret, but they didn’t make its existence known earlier to avoid unwanted attention, particularly from malware authors. However, now that everyone knows about Wifatch, they have decided to release the source code under the GNU General Public License.

The authors of Wifatch haven’t revealed their true identity and only noted that they are “nobody important.” They say they feel bad about abusing infected users’ resources, but they believe the benefits of their actions outweigh the potential negative impact.

“The amount of saved bandwidth by taking down other scanning malware, the amount energy saved by killing illegal bitcoin miners, the number of reboots and service interruptions prevented by not overheating these devices, the number of credentials and money not stolen should all outweigh this. We co-opted your devices to help the general public (in a small way),” the developers said.

The Wifatch botnet uses a peer-to-peer (P2P) architecture to prevent takeovers and all the commands sent to the bots are signed with a private ECDSA key.

In order to prevent abuse, the source code that has been made available does not contain the private key, the infection code, and certain parts of the command and control code. Build scripts are also missing, but these and other components could be released at a later time.

However, the White Team has warned that users should secure their routers against such attacks since the private key might get stolen or there could be a bug in the code that can be exploited to gain access.

Symantec also revealed finding the following quote from software freedom activist Richard Stallman in the Wifatch source code: “To any NSA and FBI agents reading my email: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden's example.”

The White Team said it had initially used this quote in the Telnet message displayed on infected devices, but it was removed after a short period of time because the group found it “a bit silly.”

Ballano told SecurityWeek that the Telnet message displayed on infected devices has been updated to clarify the project’s intentions and purpose. The researcher says that while the developers of Wifatch seem to have good intentions, Symantec will continue to monitor their activities.

view counter