‘Vigilante’ Malware Protects Routers Against Security Threats

Security researchers have discovered a piece of ‘vigilante’ malware that infects routers and other connected devices, but instead of harming them, improves their security.

‘Linux.Wifatch’ was first observed in 2014 by a research who discovered his router was carrying out actions beyond the remit of the legitimate software and upon closer inspection, he found the device had connected to a peer-to-peer network of other compromised routers.

Symantec says routers have become attractive targets for attackers because it is difficult for most users to detect such threats and because these access points are useful for DDoS Attacks. It has monitored Wifatch for some time and has been able to document its peculiar behaviour.

Vigilante malware

“Once a device is infected with the Wifatch, it connects to a peer-to-peer network that is used to distribute threat updates,” said Mario Ballano, a research at Symantec. “The further we dug into Wifatch’s code the more we had the feeling that there was something unusual about this threat. For all intents and purposes, it appeared like the author was trying to secure infected devices instead of using them for malicious activities.

“Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices. We’ve been monitoring Wifatch’s peer-to-peer network for a number of months and have yet to observe any malicious actions being carried out through it.”

Ballano said the malware made no attempt to conceal itself and even left messages for users, urging them to change their passwords and update their firmware. Symantec estimates ‘tens of thousands’ of devices are affected and warns that despite Wifatch’s seemingly philanthropic intentions, it should be treated with caution.

“It should be made clear that Linux.Wifatch is a piece of code that infects a device without user consent and in that regard is the same as any other piece of malware,” Ballano continued. “It should also be pointed out that Wifatch contains a number of general-purpose back doors that can be used by the author to carry out potentially malicious actions. However, cryptographic signatures are verified upon the use of the back doors to verify that commands are indeed coming from the malware creator. This would reduce the risk of the peer-to-peer network being taken over by others.”

There is one simple fix however. Resetting your device will rid it of Wifatch, although that’s not to say it might rear its head in the future.

Router attacks have previously been used to launch major DDoS assaults, including some conducted by Lizard Squad, and to insert porn and adverts into web pages.

Are you a security pro? Try our quiz!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Google Warns Of Italian Spyware On Apple, Android Phones

Italian company's hacking tools have been used to spy on Apple, Android smartphones in Italy…

18 hours ago

Intel Signals Delay To Ohio Factory Over US Chips Act Dispute

Chip maker warns new factory in Columbus, Ohio could be delayed or scaled back, over…

19 hours ago

Silicon UK In Focus Podcast: Sustainable Business

How do sustainable businesses use technology to innovate? And as businesses want to connect sustainability…

20 hours ago

Australia Fines Samsung Over Water-Resistance Claims

Samsung rapped over the knuckles by Australian regulator because of 'misleading' Galaxy smartphone water-resistance claims…

1 day ago

Amazon Reveals Alexa Option To Mimic Any Person’s Voice

Bereavement aid for those in mourning? Amazon's Alexa voice assistant could be programmed to sound…

1 day ago