News Stay informed about the latest enterprise technology news and product updates.

Router malware may be white hat security vigilantism

An unknown source is infecting thousands of routers with malware not to intentionally cause harm, but apparently as an act of white hat security vigilantism to make the routers safer.

Security researchers from Symantec Corp. have discovered software called Wifatch, which has infected more than...

10,000 routers with the apparent aim to make the devices safer, but experts are split as to whether hardened devices will be the ultimate result.

It is unclear who is behind the Wifatch software, but it has been found to infect more than 10,000 Linux-based routers, mostly in China and Brazil. Wifatch was first discovered by an independent researcher in 2014 and connects routers to a peer-to-peer network that is used to distribute threat updates.

According to a blog post by Mario Ballano, senior threat analyst for Symantec, the company has been monitoring Wifatch for months and has "yet to observe any malicious actions being carried out through it."

Instead, Symantec observed Wifatch apparently attempting to harden the devices it was on by shutting down potentially vulnerable Telnet ports and prompting users to change default passwords or update firmware. It even includes a module that attempts to remove well-known families of malware that target embedded devices like routers.

The Wifatch author left a comment in the source code that references an email signature used by software freedom activist Richard Stallman, which reads: "To any NSA and FBI agents reading my email: please consider whether defending the U.S. Constitution against all enemies, foreign or domestic, requires you to follow Snowden's example."

However, not everyone is convinced this apparent white hat vigilantism should be seen as a good thing. Security researcher and former black hat hacker, Hector X. Monsegur said that at the end of the day malware is malware, regardless of intent.

"Firstly, he has technically infected you with malware without permission," Monsegur said. "Secondly, unless said malware is open sourced and vetted by the community no one knows if the vigilanteware opens you up to new attacks. Just because it fixes one issue, doesn't meant it will not introduce other issues."

Monsegur noted the episode of Code Red, a destructive worm unleashed in 2001, that was countered by a piece of white hat software called Code Blue which was ultimately just as destructive.

Candid Wueest, Symantec security response, said there was no evidence that Wifatch was creating any new vulnerabilities, but it may still cause headaches.

"The device is indeed safer afterwards, as it removes other threats and secures the Telnet," Wueest said. "However, as it replaces the Telnet daemon or reboots the device, it may occasionally break existing processes (e.g. - if someone relies on the Telnet communication for work). The author also has the possibility to send system commands in the future, which could of course weaken the devices again."

Wueest also said that while there have been other acts of white hat security vigilantism in the past, this is unlikely to be part of a trend.

"We have seen some white worms in the past, such as the Welchia worm in 2003, which tried to secure systems without doing any damage, but we do not think this is a growing trend," Wueest said. "In most cases, this activity is done illegally and without permission of the owner, and there is always a chance that the target system may crash or behave unexpectedly."

Jeremiah Grossman, founder of WhiteHat Security, agreed that this is unlikely to be part of a trend, and said that the unintended consequences can outweigh the benefits.

"Rogue code and forced updates like this have a way of causing stability issues in the devices, and to the overall systems the malware is trying to protect," Grossman said. "Not to mention the behavior is still very much illegal — at least in the U.S."

Monsegur was unsure whether white hats would take this router malware example and turn it into a trend, but he did expect malicious actors to be able to take advantage of such software if it does spread.

"Vigilanteware is not new. And, it's not the solution to a problem. Once the media start propagating its functionality, copycats will begin doing the same," Monsegur said. "And then smart malware writers will unleash their own twist -- an unforeseen 'bug' which gives them or others access to infected machines."

Next Steps

Learn more about hardening networks against targeted APT attacks

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think of white hat vigilantism?
Cancel
Interesting, I know way to many people that do not set passwords for their networks because they do not know how. It may be because they lack the knowledge. If this is a true 'white hat' act that is protecting people, it may not be a bad thing. This sounds like it is going the extra mile to protect the user instead of trying to steal data. Only time will tell if it is a true act of kindness help protect users. 
Cancel
Even if a supposed white hat hack, was in fact meant to be helpful, I would always be worried about some black hat finding problems with it and causing problems in a way that is harder for the consumer to repair.

At least that's how I see it.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close