‘Vigilante’ Malware Protects Routers Against Security Threats

Steve McCaskill,
router internet DSL SOHO gateway broadband © Ensuper Shutterstock

Symantec researchers find malware that infects to protect

Security researchers have discovered a piece of ‘vigilante’ malware that infects routers and other connected devices, but instead of harming them, improves their security.

‘Linux.Wifatch’ was first observed in 2014 by a research who discovered his router was carrying out actions beyond the remit of the legitimate software and upon closer inspection, he found the device had connected to a peer-to-peer network of other compromised routers.

Symantec says routers have become attractive targets for attackers because it is difficult for most users to detect such threats and because these access points are useful for DDoS Attacks. It has monitored Wifatch for some time and has been able to document its peculiar behaviour.

Vigilante malware

Malware, virus, security © Finchen, Shutterstock 2014“Once a device is infected with the Wifatch, it connects to a peer-to-peer network that is used to distribute threat updates,” said Mario Ballano, a research at Symantec. “The further we dug into Wifatch’s code the more we had the feeling that there was something unusual about this threat. For all intents and purposes, it appeared like the author was trying to secure infected devices instead of using them for malicious activities.

“Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices. We’ve been monitoring Wifatch’s peer-to-peer network for a number of months and have yet to observe any malicious actions being carried out through it.”

Ballano said the malware made no attempt to conceal itself and even left messages for users, urging them to change their passwords and update their firmware. Symantec estimates ‘tens of thousands’ of devices are affected and warns that despite Wifatch’s seemingly philanthropic intentions, it should be treated with caution.

“It should be made clear that Linux.Wifatch is a piece of code that infects a device without user consent and in that regard is the same as any other piece of malware,” Ballano continued. “It should also be pointed out that Wifatch contains a number of general-purpose back doors that can be used by the author to carry out potentially malicious actions. However, cryptographic signatures are verified upon the use of the back doors to verify that commands are indeed coming from the malware creator. This would reduce the risk of the peer-to-peer network being taken over by others.”

There is one simple fix however. Resetting your device will rid it of Wifatch, although that’s not to say it might rear its head in the future.

Router attacks have previously been used to launch major DDoS assaults, including some conducted by Lizard Squad, and to insert porn and adverts into web pages.

Are you a security pro? Try our quiz!