Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Tens of Thousands of Routers, IP Cams Infected by Vigilante Malware

PRAGUE – Virus Bulletin 2015 – A mysterious piece of malware has infected tens of thousands of devices across the world, but its operator hasn’t used them for any malicious purposes.

PRAGUE – Virus Bulletin 2015 – A mysterious piece of malware has infected tens of thousands of devices across the world, but its operator hasn’t used them for any malicious purposes.

The bot, dubbed by Symantec “Linux.Wifatch,” was first spotted in November 2014 when an independent researcher noticed some interesting processes on his home router. Symantec has been monitoring the threat since March 2015 and the security firm has been trying to solve the mystery of Wifatch ever since.

Symantec researchers have avoided calling Wifatch a piece of malware because it doesn’t actually do anything malicious. Instead, it appears to be the work of what experts call an “Internet of Things (IoT) vigilante” who wants to protect routers and other IoT devices from malicious actors.

Wifatch seems to scan the Web for devices that it can infect over telnet likely using weak credentials. Once it infects a device, the threat can be controlled by its operator using commands signed with a private Elliptic Curve Digital Signature Algorithm (ECDSA) key.

The malware is developed in Perl and each sample comes with its own Perl interpreter. Infected devices are connected to a peer-to-peer (P2P) network that is used to distribute updates, researchers said.

The backdoors set up by Wifatch would normally allow infected devices to be abused for a wide range of activities, from distributed denial-of-service (DDoS) attacks to DNS poisoning. However, the actor behind the malware is using it to scan the device for known malware families based on their signatures, and disables telnet to keep others out.

While it’s not uncommon for malware to attempt to keep other threats out of the infected system, Wifatch actually informs users trying to connect over Telnet that the service has been disabled to prevent further infection of the device, and even provides recommendations for preventing attacks.

In the case of the Dahua DVR CCTV system, a special module allows Wifatch to configure the device so that it reboots every week. Since rebooting a device usually removes the malware running on it, this could be an attempt to defend these types of systems in case the malware cleanup mechanism cannot be run or Telnet cannot be disabled.

Advertisement. Scroll to continue reading.

Symantec has identified tens of thousands of devices infected with Wifatch, most of which are routers and IP cameras. Roughly one third of the infections have been spotted in China, followed by Brazil (16%), Mexico (9%), India (9%), Vietnam (7%), Italy (7%), Turkey (7%), South Korea (5%), and the United States (5%).

The threat is designed to target several types of architectures, but most of the infected devices are based on ARM (83%), followed by MIPS (10%), and SH4 (7%).

The author of Wifatch has also taken precautions to ensure that the botnet cannot be hijacked by others. Since it relies on a P2P architecture, there is no command and control (C&C) server, and since all commands are signed with a private ECDSA key, it’s very difficult for unauthorized users to send commands.

Symantec researcher Mario Ballano told SecurityWeek in an interview at the Virus Bulletin conference in Prague that the author of the threat seems to be an expert in cryptography and he has taken the necessary measures to prevent takeovers.

Wifatch could be operated by a group of individuals, but based on the consistency of the code Ballano believes it’s likely the work of a single individual. The author of Wifatch is not easy to track down since he uses the Tor anonymity network for sending commands to the bots.

While the Wifatch botnet could always be repurposed for malicious activities considering that it’s a fairly sophisticated threat, researchers haven’t spotted any malicious traffic so far and there appear to be no malicious routines. Furthermore, unlike other pieces of malware, Wifatch’s code has not been obfuscated or encrypted (it has only been compressed), and it contains a lot of debug information.

Further indication that this could be the work of a “vigilante” is provided by the following comment in the source code, which has been attributed to software freedom activist Richard Stallman: “To any NSA and FBI agents reading my email: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.