Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Tens of Thousands of Routers, IP Cams Infected by Vigilante Malware

PRAGUE – Virus Bulletin 2015 – A mysterious piece of malware has infected tens of thousands of devices across the world, but its operator hasn’t used them for any malicious purposes.

PRAGUE – Virus Bulletin 2015 – A mysterious piece of malware has infected tens of thousands of devices across the world, but its operator hasn’t used them for any malicious purposes.

The bot, dubbed by Symantec “Linux.Wifatch,” was first spotted in November 2014 when an independent researcher noticed some interesting processes on his home router. Symantec has been monitoring the threat since March 2015 and the security firm has been trying to solve the mystery of Wifatch ever since.

Symantec researchers have avoided calling Wifatch a piece of malware because it doesn’t actually do anything malicious. Instead, it appears to be the work of what experts call an “Internet of Things (IoT) vigilante” who wants to protect routers and other IoT devices from malicious actors.

Wifatch seems to scan the Web for devices that it can infect over telnet likely using weak credentials. Once it infects a device, the threat can be controlled by its operator using commands signed with a private Elliptic Curve Digital Signature Algorithm (ECDSA) key.

The malware is developed in Perl and each sample comes with its own Perl interpreter. Infected devices are connected to a peer-to-peer (P2P) network that is used to distribute updates, researchers said.

The backdoors set up by Wifatch would normally allow infected devices to be abused for a wide range of activities, from distributed denial-of-service (DDoS) attacks to DNS poisoning. However, the actor behind the malware is using it to scan the device for known malware families based on their signatures, and disables telnet to keep others out.

While it’s not uncommon for malware to attempt to keep other threats out of the infected system, Wifatch actually informs users trying to connect over Telnet that the service has been disabled to prevent further infection of the device, and even provides recommendations for preventing attacks.

Advertisement. Scroll to continue reading.

In the case of the Dahua DVR CCTV system, a special module allows Wifatch to configure the device so that it reboots every week. Since rebooting a device usually removes the malware running on it, this could be an attempt to defend these types of systems in case the malware cleanup mechanism cannot be run or Telnet cannot be disabled.

Symantec has identified tens of thousands of devices infected with Wifatch, most of which are routers and IP cameras. Roughly one third of the infections have been spotted in China, followed by Brazil (16%), Mexico (9%), India (9%), Vietnam (7%), Italy (7%), Turkey (7%), South Korea (5%), and the United States (5%).

The threat is designed to target several types of architectures, but most of the infected devices are based on ARM (83%), followed by MIPS (10%), and SH4 (7%).

The author of Wifatch has also taken precautions to ensure that the botnet cannot be hijacked by others. Since it relies on a P2P architecture, there is no command and control (C&C) server, and since all commands are signed with a private ECDSA key, it’s very difficult for unauthorized users to send commands.

Symantec researcher Mario Ballano told SecurityWeek in an interview at the Virus Bulletin conference in Prague that the author of the threat seems to be an expert in cryptography and he has taken the necessary measures to prevent takeovers.

Wifatch could be operated by a group of individuals, but based on the consistency of the code Ballano believes it’s likely the work of a single individual. The author of Wifatch is not easy to track down since he uses the Tor anonymity network for sending commands to the bots.

While the Wifatch botnet could always be repurposed for malicious activities considering that it’s a fairly sophisticated threat, researchers haven’t spotted any malicious traffic so far and there appear to be no malicious routines. Furthermore, unlike other pieces of malware, Wifatch’s code has not been obfuscated or encrypted (it has only been compressed), and it contains a lot of debug information.

Further indication that this could be the work of a “vigilante” is provided by the following comment in the source code, which has been attributed to software freedom activist Richard Stallman: “To any NSA and FBI agents reading my email: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...