Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Developers of Mysterious Wifatch Malware Come Forward

The group responsible for the development of the “vigilante malware” known as Wifatch has published the project’s source code.

The group responsible for the development of the “vigilante malware” known as Wifatch has published the project’s source code.

Last week at the Virus Bulletin conference in Prague, Symantec researcher Mario Ballano detailed a mysterious piece of malware that infected tens of thousands of routers, IP cameras and other devices apparently with the purpose of protecting them.

Linux.Wifatch, which has been around since at least November 2014, uses Telnet and other protocols to hack into devices on which owners either set a weak password or left the default password unchanged. Once it infects a device, Wifatch scans it for known malware and disables Telnet to keep others out.

While a threat like Wifatch can be used for a wide range of malicious activities, including distributed denial-of-service (DDoS) attacks and DNS poisoning, the fact that it wasn’t used for anything malicious has led experts to believe that its operators are “IoT vigilantes” whose goal is to secure vulnerable devices.

This appears to be the case as a group calling itself “The White Team” has published the source code for Linux.Wifatch. Ballano has confirmed for SecurityWeek that the source code is genuine. The researcher says the developers of Wifatch contacted Symantec to let the company know about their intention to publish the source files.

The developers of Wifatch claim to have created the malware to learn, to understand, for fun, and for users’ security.

“Apart from the learning experience, this is a truly altruistic project, and no malicious actions are planned (and it nice touch that Symantec watch over this),” they wrote next to the source code files.

The developers claim the project was never meant to be a secret, but they didn’t make its existence known earlier to avoid unwanted attention, particularly from malware authors. However, now that everyone knows about Wifatch, they have decided to release the source code under the GNU General Public License.

The authors of Wifatch haven’t revealed their true identity and only noted that they are “nobody important.” They say they feel bad about abusing infected users’ resources, but they believe the benefits of their actions outweigh the potential negative impact.

“The amount of saved bandwidth by taking down other scanning malware, the amount energy saved by killing illegal bitcoin miners, the number of reboots and service interruptions prevented by not overheating these devices, the number of credentials and money not stolen should all outweigh this. We co-opted your devices to help the general public (in a small way),” the developers said.

The Wifatch botnet uses a peer-to-peer (P2P) architecture to prevent takeovers and all the commands sent to the bots are signed with a private ECDSA key.

In order to prevent abuse, the source code that has been made available does not contain the private key, the infection code, and certain parts of the command and control code. Build scripts are also missing, but these and other components could be released at a later time.

However, the White Team has warned that users should secure their routers against such attacks since the private key might get stolen or there could be a bug in the code that can be exploited to gain access.

Symantec also revealed finding the following quote from software freedom activist Richard Stallman in the Wifatch source code: “To any NSA and FBI agents reading my email: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.”

The White Team said it had initially used this quote in the Telnet message displayed on infected devices, but it was removed after a short period of time because the group found it “a bit silly.”

Ballano told SecurityWeek that the Telnet message displayed on infected devices has been updated to clarify the project’s intentions and purpose. The researcher says that while the developers of Wifatch seem to have good intentions, Symantec will continue to monitor their activities.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.