Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Developers of Mysterious Wifatch Malware Come Forward

The group responsible for the development of the “vigilante malware” known as Wifatch has published the project’s source code.

The group responsible for the development of the “vigilante malware” known as Wifatch has published the project’s source code.

Last week at the Virus Bulletin conference in Prague, Symantec researcher Mario Ballano detailed a mysterious piece of malware that infected tens of thousands of routers, IP cameras and other devices apparently with the purpose of protecting them.

Linux.Wifatch, which has been around since at least November 2014, uses Telnet and other protocols to hack into devices on which owners either set a weak password or left the default password unchanged. Once it infects a device, Wifatch scans it for known malware and disables Telnet to keep others out.

While a threat like Wifatch can be used for a wide range of malicious activities, including distributed denial-of-service (DDoS) attacks and DNS poisoning, the fact that it wasn’t used for anything malicious has led experts to believe that its operators are “IoT vigilantes” whose goal is to secure vulnerable devices.

This appears to be the case as a group calling itself “The White Team” has published the source code for Linux.Wifatch. Ballano has confirmed for SecurityWeek that the source code is genuine. The researcher says the developers of Wifatch contacted Symantec to let the company know about their intention to publish the source files.

The developers of Wifatch claim to have created the malware to learn, to understand, for fun, and for users’ security.

“Apart from the learning experience, this is a truly altruistic project, and no malicious actions are planned (and it nice touch that Symantec watch over this),” they wrote next to the source code files.

The developers claim the project was never meant to be a secret, but they didn’t make its existence known earlier to avoid unwanted attention, particularly from malware authors. However, now that everyone knows about Wifatch, they have decided to release the source code under the GNU General Public License.

The authors of Wifatch haven’t revealed their true identity and only noted that they are “nobody important.” They say they feel bad about abusing infected users’ resources, but they believe the benefits of their actions outweigh the potential negative impact.

“The amount of saved bandwidth by taking down other scanning malware, the amount energy saved by killing illegal bitcoin miners, the number of reboots and service interruptions prevented by not overheating these devices, the number of credentials and money not stolen should all outweigh this. We co-opted your devices to help the general public (in a small way),” the developers said.

The Wifatch botnet uses a peer-to-peer (P2P) architecture to prevent takeovers and all the commands sent to the bots are signed with a private ECDSA key.

In order to prevent abuse, the source code that has been made available does not contain the private key, the infection code, and certain parts of the command and control code. Build scripts are also missing, but these and other components could be released at a later time.

However, the White Team has warned that users should secure their routers against such attacks since the private key might get stolen or there could be a bug in the code that can be exploited to gain access.

Symantec also revealed finding the following quote from software freedom activist Richard Stallman in the Wifatch source code: “To any NSA and FBI agents reading my email: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.”

The White Team said it had initially used this quote in the Telnet message displayed on infected devices, but it was removed after a short period of time because the group found it “a bit silly.”

Ballano told SecurityWeek that the Telnet message displayed on infected devices has been updated to clarify the project’s intentions and purpose. The researcher says that while the developers of Wifatch seem to have good intentions, Symantec will continue to monitor their activities.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.