Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Developers of Mysterious Wifatch Malware Come Forward

The group responsible for the development of the “vigilante malware” known as Wifatch has published the project’s source code.

The group responsible for the development of the “vigilante malware” known as Wifatch has published the project’s source code.

Last week at the Virus Bulletin conference in Prague, Symantec researcher Mario Ballano detailed a mysterious piece of malware that infected tens of thousands of routers, IP cameras and other devices apparently with the purpose of protecting them.

Linux.Wifatch, which has been around since at least November 2014, uses Telnet and other protocols to hack into devices on which owners either set a weak password or left the default password unchanged. Once it infects a device, Wifatch scans it for known malware and disables Telnet to keep others out.

While a threat like Wifatch can be used for a wide range of malicious activities, including distributed denial-of-service (DDoS) attacks and DNS poisoning, the fact that it wasn’t used for anything malicious has led experts to believe that its operators are “IoT vigilantes” whose goal is to secure vulnerable devices.

This appears to be the case as a group calling itself “The White Team” has published the source code for Linux.Wifatch. Ballano has confirmed for SecurityWeek that the source code is genuine. The researcher says the developers of Wifatch contacted Symantec to let the company know about their intention to publish the source files.

The developers of Wifatch claim to have created the malware to learn, to understand, for fun, and for users’ security.

“Apart from the learning experience, this is a truly altruistic project, and no malicious actions are planned (and it nice touch that Symantec watch over this),” they wrote next to the source code files.

The developers claim the project was never meant to be a secret, but they didn’t make its existence known earlier to avoid unwanted attention, particularly from malware authors. However, now that everyone knows about Wifatch, they have decided to release the source code under the GNU General Public License.

Advertisement. Scroll to continue reading.

The authors of Wifatch haven’t revealed their true identity and only noted that they are “nobody important.” They say they feel bad about abusing infected users’ resources, but they believe the benefits of their actions outweigh the potential negative impact.

“The amount of saved bandwidth by taking down other scanning malware, the amount energy saved by killing illegal bitcoin miners, the number of reboots and service interruptions prevented by not overheating these devices, the number of credentials and money not stolen should all outweigh this. We co-opted your devices to help the general public (in a small way),” the developers said.

The Wifatch botnet uses a peer-to-peer (P2P) architecture to prevent takeovers and all the commands sent to the bots are signed with a private ECDSA key.

In order to prevent abuse, the source code that has been made available does not contain the private key, the infection code, and certain parts of the command and control code. Build scripts are also missing, but these and other components could be released at a later time.

However, the White Team has warned that users should secure their routers against such attacks since the private key might get stolen or there could be a bug in the code that can be exploited to gain access.

Symantec also revealed finding the following quote from software freedom activist Richard Stallman in the Wifatch source code: “To any NSA and FBI agents reading my email: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.”

The White Team said it had initially used this quote in the Telnet message displayed on infected devices, but it was removed after a short period of time because the group found it “a bit silly.”

Ballano told SecurityWeek that the Telnet message displayed on infected devices has been updated to clarify the project’s intentions and purpose. The researcher says that while the developers of Wifatch seem to have good intentions, Symantec will continue to monitor their activities.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.