Menu
A viral vigilante may be keeping an eye on your home router

A viral vigilante may be keeping an eye on your home router

An old virus affecting routers running Linux appears to be protecting them from other malware infections, Symantec researchers say

An old virus affecting routers and other devices running Linux appears to be acting as a digital vigilante, protecting routers in the dark alleyways of the Internet from other malware infections.

Researchers at Symantec first began tracking Linux.Wifatch on Jan. 12, describing it merely as a "Trojan that may open a back door on the compromised router" and adding a couple of pages of generic advice for removing it and keeping it from infecting other devices

The company subsequently noted that another researcher going by the name l00t_myself had spotted the virus in his home router as long ago as November 2014. He dismissed it as easy to decode and having "stupid coding bugs." He reported via Twitter that he had identified over 13,000 other devices infected with it.

That prompted other researchers to chime in that they too had identified it, variously nicknaming it Reincarna and Zollard -- which was spotted in Internet-connected devices as far back as 2013.

Then things went quiet: The developer of the virus didn't do anything bad with the backdoor access, and the other researchers seemed to lose interest.

Now, though, the Symantec researchers think they've figured out what Linux.Wifatch was up to: It was keeping other viruses out of the devices it had invaded.

That in itself is nothing new: the botnet creators have been known to defend their patch before, fighting off or removing rival malware in order to maintain their botnet's destructive power.

The difference, according to Symantec researcher Mario Ballano, is that Wifatch seems only to be defending, not attacking. "It appeared like the author was trying to secure infected devices instead of using them for malicious activities," he wrote in a blog post Thursday.

Devices infected with Wifatch communicate via their own peer-to-peer network, using it to distribute updates about other malware threats. They don't exchange malicious payloads, and in general the code seems designed to harden, or protect, the infected devices.

For instance, Symantec believes Wifatch infects the devices via telnet, exploiting weak passwords -- but if anyone else, including the device's owner, attempts to connect via telnet, they receive the following message: "Telnet has been closed to avoid further infection of this device. Please disable telnet, change telnet passwords, and/or update the firmware."

It also attempts to remove other well-known router malware.

A further sign of its author's good intentions, Ballano said, is that there is no attempt to hide the malware: the code is not obfuscated, and it even includes debug messages making it easier to analyze.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Featured

Slideshows

Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Show Comments