How Vigilante Malware Protects Unpatched Routers, Other Devices

NEWS ANALYSIS: Symantec has found evidence of malware that aims to protect unpatched routers; what's wrong and what's right with this picture?


Countless numbers of routers and Internet-connected devices around the world are not properly updated, leaving the devices, their owners and the Internet at large at risk. The risk is usually that the devices can be compromised, leading to stolen user information and further expansion of the ever growing zombie botnet ranks that attack other users.

A new code infection however, dubbed Linux.Wifatch, is taking unpatched routers and devices a different route, protecting them, rather than exploiting them.

Symantec security researchers first discovered the Linux.Wifatch Trojan back on Jan. 12, identifying it as very low risk. On Oct. 1, Mario Ballano, senior security response engineer at Symantec, reported that Linux.Wifatch is doing something very uncommon for malware.

"Wifatch has a module that attempts to remediate other malware infections present on the compromised device," Ballano wrote. "Some of the threats it tries to remove are well known families of malware targeting embedded devices."

Like many forms of Trojans, Wifatch has a peer-to-peer network for command and control, and after months of observation, Symantec has not seen any malicious actions being pushed out. It appears as though Wifatch is infecting vulnerable devices by way of weak Telnet connections. Telnet is considered by most security experts to be a weak network protocol due to its lack of password and data encryption.

While it's not clear precisely how many devices have been infected by Wifatch, Symantec estimates it to be tens of thousands.

The idea of malware that protects users as some form of vigilante action is one that is both inspiring and terrifying. Time and again, security experts and vendors advise everyone to keep devices patched, yet the issue still persists. In some cases, users simply just don't update devices, either because they don't know how or they just don't know that a patch exists. In other cases, devices are shipped insecure by default—that is, with weak Telnet services enabled that should never have been present on the device in the first place.

Law enforcement officials and service providers have helped vulnerable users and systems in the past secure unpatched, infected machines, though not in the same way that Wifatch does. Back in 2012, when the DNSchanger malware threatened the Internet, the FBI stepped in, taking down the command and control servers. Rather than letting users simply fend for themselves, carriers including Verizon, CenturyLink and Cox Communications redirected impacted users to a safe site, which advised them of additional actions to take to protect themselves.

In the DNSchanger incident, law enforcement was behind the redirection, which is not the case with Wifatch, where the authors are unknown and it's not clear who or what is actually in control. That's a concern, as Wifatch could also be used for malicious purposes, though so far all indications are that the Wifatch authors have good intentions.

The idea of security paternalism—an overarching entity of vendors or organizations looking out for users—is one that makes a whole lot of sense. At the Black Hat USA 2014 event, then Yahoo CSO (now CSO of Facebook) Alex Stamos made a passionate plea for security paternalism. The basic idea is that users don't always know what's best for themselves, while vendors backed by security experts have the tools and experience to defend users.

Wifatch is acting in the spirit of security paternalism—a sort of guardian angel against known threats. It's a good idea, but one that could be vastly improved and validated if the idea and actions behind Wifatch were backed by a known entity. Imagine the good that a government organization, a nonprofit or perhaps a multivendor consortium of service providers could bring to the Internet if security paternalism took hold, protecting unpatched devices.

Defending unpatched, vulnerable devices shouldn't be a vigilante effort; it should be business as usual and part of the best practice for the foundation of Internet security.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.