A seemingly altruistic piece of software named Linux.Wifatch has sneaked into tens of thousands of devices around the world, prompting suspicion that it may not be as altruistic as it seems.
The cybersecurity firm Symantec stated: “For all intents and purposes, it appeared like the author was trying to secure infected devices instead of using them for malicious activities.” Symantec commented that Wifatch’s hardcoded routines seem to help devices harden their defenses, killing the legitimate Telnet daemon, as well as leaving a message in its place that instructs device owners to change their passwords. The software also reboots the device periodically, allowing the device to kill running malware and set itself back to a clean state.
Symantec threat intelligence officer Val Saengphaibul admitted, “We have not seen any malicious activity whatsoever,” but added, “However, in the legal sense, this is illegal activity. It’s accessing computers on a network without the owner’s permission.”
The software was first noticed in November 2014 by an independent security researcher. One troubling aspect of the software is that it could possibly be used to spy on an owner prompted to type on a new password.
The program’s computer code states: “To any NSA and FBI agents reading this: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.”
Symantec reported that most of Wifatch’s code is written in the Perl programming language; once Wifatch attaches to a device, it connects to a peer-to-peer network used to distribute threat updates. The cybersecurity firm added: “Wifatch has a module that attempts to remediate other malware infections present on the compromised device. Some of the threats it tries to remove are well known families of malware targeting embedded devices.”
According to Symantec, 32 percent of the affected devices are located in China, 16 percent in Brazil, nine percent in Mexico and India, seven percent in Turkey, Italy and Vietnam, five percent in the U.S. and the Republic of Korea, and three percent in Poland.