Router Virus Defends Infected Routers From Other Viruses

A new malware is infecting IoT devices, which in theory is not actually a piece of malware because it’s not doing anything bad to the infected devices, but on the contrary, it is protecting them from further infections.

“Linux.Wifatch” was first observed in 2014 by a research who discovered his router was carrying out actions beyond the remit of the legitimate software and upon closer inspection, he found the device had connected to a peer-to-peer network of other compromised routers.

That’s, well, pretty darn cool but the eradication of other malware isn’t a sign of a benevolent infection in and of itself, as nefarious malware has been known to run virus scans in the past not to protect the host device, but to muscle out the competition.

The author of Wifatch didn’t obfuscate its code; in fact, the malware’s source code includes numerous debug messages so that researchers can more easily dig through it, Symantec reports.

Routers, along with a growing number of other networked household devices giving rise to the Internet of Things, “are becoming more interesting to cyber crooks” not because of the data they contain but due to their ability to connect to other devices and enable activities like distributed denial-of-service attacks, Ballano said.

That text states, “To any NSA and Federal Bureau of Investigation agents reading this: please consider whether defending the U.S. Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example”. It also contains several backdoors that the author could use for malicious purposes, if desired.

As part of its efforts to track emerging malware threats, Symantec operates a large network of so-called honeypots to collect samples of code from the wild and observe how they work in action.

According to Symantec, 32 percent of the affected devices are located in China, 16 percent in Brazil, nine percent in Mexico and India, seven percent in Turkey, Italy and Vietnam, five percent in the USA and the Republic of Korea, and three percent in Poland. It has monitored Wifatch for a few time and has been able to document its peculiar behaviour.

Obviously malware is still malware, and users are advised to avoid all infection by keeping firmware updated and changing default administration credentials. He reported via Twitter that he had identified over 13,000 other devices infected with it. The security firm is advising users to update the router’s software and keep its firmware up to date.

The malware’s creator even left a message in the source code, in the form of a quote from Richard Stallman, a famous software freedom activist. “Whether the author’s intentions were to use their creation for the good of other IoT users – vigilante style – or whether their intentions were more malicious remains to be seen”.