The vigilante hacker behind the recent Wifatch malware has broken its silence, and Team White is claiming that...
at any given time, the number of routers being "protected" by its software is around 60,000. Team White has claimed they infected more than 300,000 total devices, but cannot harden them all.
Team White told SearchSecurity that they never intended to come out in the open. The plan was to quietly secure devices that had been neglected by their owners, but once the media took hold of the story, it made more sense to be open and honest.
"The primary goal was to deny these devices to malware operators," Team White said via email. "What we did was stay honest to ourselves, and not abuse these devices ourselves. Staying secret made sense, to not alert malware authors of this threat to them [sic]."
The Team White hackers claimed that the number of devices being protected by malware scanning in its botnet is usually around 60,000 devices, but said on its GitLab source repository that the number can range to above 100,000. The number of total devices running Wifatch can be more than 300,000 -- most of which are surveillance cameras, not routers. However, all devices cannot be protected. The team noted that it does plan to "disinfect" these devices at some point, which is the term it uses for the hardening and removal of malware on the devices it infects, but issues such as limited memory can make that task more difficult.
"These devices are almost always very neglected and are often maintained by completely un-technical users. Most of these aren't aware that their router is attacking other hosts on the internet. Chances of reaching anybody who is both authorized and capable are slim," Team White wrote. "We do plan to disinfect these devices at some point though, but this is technically more challenging than what we do now."
In an effort to be more open and honest, the Team White hackers also released part of the code for the Wifatch malware and made it free for use under the General Public License (GPL). Symantec Corp. confirmed that the posted code was real by matching it to the digital signature of the original malware. SearchSecurity also verified the signature on the email correspondence to the PGP key on the GitLab repository.
"We think knowledge should generally be free (including physics courses and bomb plans), with very few (and well-reasoned) exceptions," Team White wrote, "because knowledge itself is neutral, and the best way to reduce damage is to improve the world so there are fewer people who think they need to engage in evil acts."
Team White did acknowledge that releasing malware code can be dangerous, and noted that it took steps to mitigate risks.
"Since there is a tradeoff, we released all of the sources that run on other people's devices, but not the source that allows people to take them over," Team White wrote. "We did not publish the secret key that allows you to give these bots commands, or the code to infect devices."
Security researcher and former black hat hacker, Hector X. Monsegur, worried that it might still be enough for malicious actors to reverse-engineer the code. Monsegur said this would be possible given the number of devices Wifatch infects but cannot protect, meaning the full infection code could be obtained.
Monsegur also questioned why Team White doesn't do more to notify the owners of the devices that can't be secured.
"What they can do is automate the reporting process," Monsegur said. "Researchers have been using ZMap and Internet-wide scanners to find vulnerabilities en masse. Write a script to test such results and automate an email template to each ISP."
Team White said it hasn't attempted to contact those it infects for a few reasons. First, scanning the devices for an email address would "violate your privacy," according to Team White, and the team claims that notifying ISPs "hasn't proven to be very fruitful in the past."
Monsegur and other experts also voiced concern about the potential unintended damage that vigilanteware can do. Team White admitted that its software could potentially cause a crash or reboot due to overheating, or it could misidentify normal software as malware and kill it, but said that the team is "reasonably sure" it does more good than harm.
"A lot of malware copies your access data and anything else it can find, passwords, phone numbers and so on. Some of it monitors your internet traffic and again looks for passwords and other sensitive data. Some encrypts files on your NAS devices and demands money for the hope of accessing the data again," Team White wrote. "We do nothing of the sorts, and fortunately, that is something that Symantec and others agree upon. We also carefully monitor our nodes for problems, which is possible for us, but not usually possible for typical malware. We don't believe that the act of infecting a device temporarily and removing obvious malware causes real harm, and that is basically what we do."
Monsegur said the act of spreading the software alone could lead to unintended consequences.
"Their code is still infecting machines without permission, and it appears to be propagating, using your devices. What if your infected device scans a highly sensitive network?" Monsegur asked. "There is a chance of legal consequence, not to mention that not all of the code has been vetted, meaning the potential for bad actors to take over these infected devices all over again."
Although the group is aiming to do good by hardening security on vulnerable devices, Team White does not want people to rely on them, but instead wants to see people take security more seriously and take responsibility for unsecured devices. In the end, the team feels confident that it has done more good than harm.
"While we do not know if, and how many, cases of information theft have been thwarted by Wifatch, we know we didn't add any," Team White wrote. "Of course, complete certainty doesn't exist in reality, but at least we tried our best, which is clearly better than what the manufacturers of these devices have done to protect you, and unlike us, they even got paid for it."
Learn how to mitigate the security risks of router port scanning