Update – October 5, 2015: The creators of Linux.Wifatch responds to our blog posting explaining the reasons for their actions.

The following story could well work as the script of a Hollywood movie or superhero comic.

Let me introduce you to Linux.Wifatch, one of the latest pieces of code infecting Internet of Things (IoT) devices. We first heard of Wifatch back in 2014, when an independent security researcher noticed something unusual happening on his home router. The researcher identified running processes that didn’t seem to be part of the legitimate router software and decided to investigate further. During his analysis he discovered a sophisticated piece of code that had turned his home router into a zombie connected to a peer-to-peer network of infected devices.

Lately we’ve seen that home routers, and IoT devices in general, are becoming more interesting to cyber crooks; these devices may not hold a lot of interesting data but under the control of criminals they have proven to be quite useful, for instance, to articulate distributed denial-of-service (DDoS) attacks. As well as this, it’s difficult for the average user to detect if one of these devices has become infected and so most infections go unnoticed. In April of this year, we were provided with some additional information on Wifatch. At first sight there was nothing unusual about it—as part of Symantec’s efforts to identify malware targeting embedded devices we run a large network of honeypots that collect many samples and Wifatch seemed to be just another of these threats. However, after a closer look, this particular piece of code looked somewhat more sophisticated than the average embedded threat we usually spot in the wild.

A force for good or a force for evil?

During our analysis we began to unveil some of Wifatch’s secrets. Most of Wifatch’s code is written in the Perl programming language and it targets several architectures and ships its own static Perl interpreter for each of them. Once a device is infected with the Wifatch, it connects to a peer-to-peer network that is used to distribute threat updates.

The further we dug into Wifatch’s code the more we had the feeling that there was something unusual about this threat. For all intents and purposes, it appeared like the author was trying to secure infected devices instead of using them for malicious activities.

Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices. We’ve been monitoring Wifatch’s peer-to-peer network for a number of months and have yet to observe any malicious actions being carried out through it.

In addition, there are some other things that seem to hint that the threat’s intentions may differ from traditional malware.

Wifatch not only tries to prevent further access by killing the legitimate Telnet daemon, it also leaves a message in its place telling device owners to change passwords and update the firmware.



Figure 1. Message left by Wifatch

Wifatch has a module that attempts to remediate other malware infections present on the compromised device. Some of the threats it tries to remove are well known families of malware targeting embedded devices.

The threat author left a comment in the source code that references an email signature used by software freedom activist Richard Stallman (Figure 2).



Figure 2. Comment in Wifatch source code

Wifatch’s code is not obfuscated; it just uses compression and contains minified versions of the source code. It would have been easy for the author to obfuscate the Perl code but they chose not to. The threat also contains a number of debug messages that enable easier analysis. It looks like the author wasn’t particularly worried about others being able to inspect the code.

The threat has a module (dahua.pm) that seems to be an exploit for Dahua DVR CCTV systems. The module allows Wifatch to set the configuration of the device to automatically reboot every week. One could speculate that because Wifatch may not be able to properly defend this type of device, instead, its strategy may be to reboot it periodically which would kill running malware and set the device back to a clean state.

Hint of a dark side?

Despite the previously listed actions, it should be made clear that Linux.Wifatch is a piece of code that infects a device without user consent and in that regard is the same as any other piece of malware. It should also be pointed out that Wifatch contains a number of general-purpose back doors that can be used by the author to carry out potentially malicious actions. However, cryptographic signatures are verified upon the use of the back doors to verify that commands are indeed coming from the malware creator. This would reduce the risk of the peer-to-peer network being taken over by others.

We believe that most of Wifatch’s infections are happening over Telnet connections to devices using weak credentials. After monitoring Wifatch’s network for a number of months, we estimate it to include somewhere in the order of tens of thousands of devices. The following charts show the breakdown of affected countries and the architectures of infected devices.



Figure 3. Breakdown of infected countries



Figure 4. Breakdown of infected architectures

A selection of ARM architectures make up the bulk of infected devices, with MIPS and SH4 making up the majority of the remaining. PowerPC and X86 both account for an insignificant percentage (0.132 collectively).

Suspicious minds

There is no doubt that Linux.Wifatch is an interesting piece of code. Whether the author’s intentions were to use their creation for the good of other IoT users—vigilante style—or whether their intentions were more malicious remains to be seen. What we do know is that it pays to be suspicious and, with this in mind, Symantec will be keeping a close eye on Linux.Wifatch and the activities of its mysterious creator.

Mitigation

Resetting an infected device will remove the Wifatch malware; however, devices may become infected again over time. If possible, users are advised to keep their device’s software and firmware up to date and to change any default passwords that may be in use.

Update – October 5, 2015:

The author of Linux.Wifatch has responded to our blog and posted a Q&A to explain their actions. The following is an extract from the response.