Security researchers from Symantec Corp. have discovered software called Wifatch, which has infected more than...
10,000 routers with the apparent aim to make the devices safer, but experts are split as to whether hardened devices will be the ultimate result.
It is unclear who is behind the Wifatch software, but it has been found to infect more than 10,000 Linux-based routers, mostly in China and Brazil. Wifatch was first discovered by an independent researcher in 2014 and connects routers to a peer-to-peer network that is used to distribute threat updates.
According to a blog post by Mario Ballano, senior threat analyst for Symantec, the company has been monitoring Wifatch for months and has "yet to observe any malicious actions being carried out through it."
Instead, Symantec observed Wifatch apparently attempting to harden the devices it was on by shutting down potentially vulnerable Telnet ports and prompting users to change default passwords or update firmware. It even includes a module that attempts to remove well-known families of malware that target embedded devices like routers.
The Wifatch author left a comment in the source code that references an email signature used by software freedom activist Richard Stallman, which reads: "To any NSA and FBI agents reading my email: please consider whether defending the U.S. Constitution against all enemies, foreign or domestic, requires you to follow Snowden's example."
However, not everyone is convinced this apparent white hat vigilantism should be seen as a good thing. Security researcher and former black hat hacker, Hector X. Monsegur said that at the end of the day malware is malware, regardless of intent.
"Firstly, he has technically infected you with malware without permission," Monsegur said. "Secondly, unless said malware is open sourced and vetted by the community no one knows if the vigilanteware opens you up to new attacks. Just because it fixes one issue, doesn't meant it will not introduce other issues."
Monsegur noted the episode of Code Red, a destructive worm unleashed in 2001, that was countered by a piece of white hat software called Code Blue which was ultimately just as destructive.
Candid Wueest, Symantec security response, said there was no evidence that Wifatch was creating any new vulnerabilities, but it may still cause headaches.
"The device is indeed safer afterwards, as it removes other threats and secures the Telnet," Wueest said. "However, as it replaces the Telnet daemon or reboots the device, it may occasionally break existing processes (e.g. - if someone relies on the Telnet communication for work). The author also has the possibility to send system commands in the future, which could of course weaken the devices again."
Wueest also said that while there have been other acts of white hat security vigilantism in the past, this is unlikely to be part of a trend.
"We have seen some white worms in the past, such as the Welchia worm in 2003, which tried to secure systems without doing any damage, but we do not think this is a growing trend," Wueest said. "In most cases, this activity is done illegally and without permission of the owner, and there is always a chance that the target system may crash or behave unexpectedly."
Jeremiah Grossman, founder of WhiteHat Security, agreed that this is unlikely to be part of a trend, and said that the unintended consequences can outweigh the benefits.
"Rogue code and forced updates like this have a way of causing stability issues in the devices, and to the overall systems the malware is trying to protect," Grossman said. "Not to mention the behavior is still very much illegal — at least in the U.S."
Monsegur was unsure whether white hats would take this router malware example and turn it into a trend, but he did expect malicious actors to be able to take advantage of such software if it does spread.
"Vigilanteware is not new. And, it's not the solution to a problem. Once the media start propagating its functionality, copycats will begin doing the same," Monsegur said. "And then smart malware writers will unleash their own twist -- an unforeseen 'bug' which gives them or others access to infected machines."
Learn more about hardening networks against targeted APT attacks