The bot, dubbed by Symantec “Linux.Wifatch,” was first spotted in November 2014 when an independent researcher noticed some interesting processes on his home router. Symantec has been monitoring the threat since March 2015 and the security firm has been trying to solve the mystery of Wifatch ever since.
Symantec researchers have avoided calling Wifatch a piece of malware because it doesn’t actually do anything malicious. Instead, it appears to be the work of what experts call an “Internet of Things (IoT) vigilante” who wants to protect routers and other IoT devices from malicious actors.
Wifatch seems to scan the Web for devices that it can infect over telnet likely using weak credentials. Once it infects a device, the threat can be controlled by its operator using commands signed with a private Elliptic Curve Digital Signature Algorithm (ECDSA) key.
The malware is developed in Perl and each sample comes with its own Perl interpreter. Infected devices are connected to a peer-to-peer (P2P) network that is used to distribute updates, researchers said.
The backdoors set up by Wifatch would normally allow infected devices to be abused for a wide range of activities, from distributed denial-of-service (DDoS) attacks to DNS poisoning. However, the actor behind the malware is using it to scan the device for known malware families based on their signatures, and disables telnet to keep others out.
While it’s not uncommon for malware to attempt to keep other threats out of the infected system, Wifatch actually informs users trying to connect over Telnet that the service has been disabled to prevent further infection of the device, and even provides recommendations for preventing attacks.
In the case of the Dahua DVR CCTV system, a special module allows Wifatch to configure the device so that it reboots every week. Since rebooting a device usually removes the malware running on it, this could be an attempt to defend these types of systems in case the malware cleanup mechanism cannot be run or Telnet cannot be disabled.
Symantec has identified tens of thousands of devices infected with Wifatch, most of which are routers and IP cameras. Roughly one third of the infections have been spotted in China, followed by Brazil (16%), Mexico (9%), India (9%), Vietnam (7%), Italy (7%), Turkey (7%), South Korea (5%), and the United States (5%).
The threat is designed to target several types of architectures, but most of the infected devices are based on ARM (83%), followed by MIPS (10%), and SH4 (7%).
The author of Wifatch has also taken precautions to ensure that the botnet cannot be hijacked by others. Since it relies on a P2P architecture, there is no command and control (C&C) server, and since all commands are signed with a private ECDSA key, it’s very difficult for unauthorized users to send commands.
Symantec researcher Mario Ballano told SecurityWeek in an interview at the Virus Bulletin conference in Prague that the author of the threat seems to be an expert in cryptography and he has taken the necessary measures to prevent takeovers.
Wifatch could be operated by a group of individuals, but based on the consistency of the code Ballano believes it’s likely the work of a single individual. The author of Wifatch is not easy to track down since he uses the Tor anonymity network for sending commands to the bots.
While the Wifatch botnet could always be repurposed for malicious activities considering that it’s a fairly sophisticated threat, researchers haven’t spotted any malicious traffic so far and there appear to be no malicious routines. Furthermore, unlike other pieces of malware, Wifatch’s code has not been obfuscated or encrypted (it has only been compressed), and it contains a lot of debug information.
Further indication that this could be the work of a “vigilante” is provided by the following comment in the source code, which has been attributed to software freedom activist Richard Stallman: “To any NSA and FBI agents reading my email: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.”