Brian Jackson - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

The pros and cons of cybervigilantes and Wifatch

Vigilante malware called Wifatch aims to protect IoT devices and home routers. Expert Nick Lewis explores cybervigilantism and potential risks and benefits to enterprises.

The relationship between the Internet and justice and law enforcement is reminiscent of the Wild West. In the Wild...

West, the bad guys would often get away with crimes because the lack of laws and law enforcement. This didn't sit well with many, and vigilante justice arose to protect victims of injustice. There is the perception -- right or wrong -- that cybercriminals can easily commit crimes on the Internet with little fear of getting caught or being punished. One of the reasons why cybercriminals can easily commit crimes is because many devices and systems are configured insecurely by default. While we need to work as a community to make sure justice is legally supported, others have taken the cybervigilante approach to try to protect society.

This tip takes a look at the cybervigilantes and their malware, and explores what such actions could mean for the future of enterprise malware protection.

Cybervigilante malware

The Linux.Wifatch malware is so-called vigilante malware and it is infecting Internet of Things (IoT) devices and home network routers to secure them. The malware does not currently persist past a reboot, so it can be easily cleaned from an infected system by just rebooting. It opens the device potentially to new vulnerabilities that Wifatch could introduce in the malware functionality. Wifatch scans the network looking for IPs with open telnet servers using default or weak passwords. Once a vulnerable system is identified, it logs in and disables telnet to secure the device. It has modules for different architectures so it can incorporate new functionality within the worm. It also has a peer-to-peer command-and-control infrastructure that it connects to when a device is infected.

Mass scanning of Internet-connected devices to identify, catalog, and report on threats has crossed the line from being unacceptable to some to being acceptable to most because of the significant benefits that have been found by companies such as Qualys SSL Labs, Shodan and others. This type of data is critical for the community to make decisions and assess the risk to certain kinds of vulnerabilities. These search engines or scanners perform similar functions as the Wifatch malware to identify vulnerable devices, but they do not take the next steps of logging into the actual devices in order to fix the problems identified.

Future of enterprise malware protection

Protecting vulnerable systems from Wifatch minimally requires blocking inbound telnet connections at the network. There are very few legitimate reasons for telnet to be allowed inbound from the Internet to arbitrary IP addresses, so blocking it should have little impact. There are legitimate reasons for IoT devices to connect outbound to a controller or data collection source, but that does not require an inbound connection from the Internet, and such connections would not be impacted by blocking access inbound. IoT devices and home network routers typically have minimal security options for protecting systems, but using the few that are available is critical to keeping them secure. The most important of these options is keeping the system updated with patches/firmware and changing default passwords.

The potential downside is that a mistake by a cybervigilante could have more negative impact than an actual attack.

On the positive side, Wifatch could start the evolution on the future of malware protection and bring some much needed attention to nontraditional platforms. IoT devices and home routers have not typically been targeted by malware, but they also haven't received significant attention from cybersecurity professionals and vendors to secure the devices. These devices need additional attention around secure default configurations because they do not have antimalware or separate security hypervisors/monitors for all systems, regardless of the OS. Secure default configurations must start with the original equipment manufacturer designing secure operating systems and auto-updating functionality enabled by default with an easy-to-use setup or management system to securely configure the devices. This will require advocacy and pressure from enterprises on the IoT vendors to develop these systems securely.

The secure-by-default stance could also include restricting network access to untrusted devices; for example, an IoT device might not allow a network connection from outside its local subnet or require authentication for the connection. That won't solve the problem, but could help minimize the attack surface. Some in the security industry think antimalware software is on its way out, and it may be, but antimalware software has provided a much-needed security layer to monitor the host system. This same functionality could be performed by centralized management software, whitelisting tools, host-based intrusion detection/intrusion prevention tools and other products where something separate from the core operating system is monitoring the security of the device and alerting security managers when issues are identified. For an IoT device, that monitoring could be easier to perform because of the limited functionality of the device, making it easier to whitelist approved functionality. But the hardware resource constraints for a low-cost and low-power device will make it more difficult to have the extra resources to devote to monitoring security. Given the importance of monitoring for security, the resource utilization seems reasonable.

The positives and negatives of cybervigilantes

There may be some positive benefits of cybervigilantes, but expert skills are necessary to ensure the positive benefits outweigh the potential of mistakes that could cause significant damage. The potential downside is that a mistake by a cybervigilante, such a simple coding vulnerability in Wifatch, could have more negative impact than an actual attack. The security industry should forcefully advocate for more secure systems so potential cybervigilantes do not feel compelled to take unauthorized and potentially damaging actions to protect society.

Next Steps

Learn more about why vigilante Team White hackers infected 300,000 devices

Expert Eric Cole examines how offensive countermeasures can stop security threats

Discover how Sony's efforts to hack back are creating problems

This was last published in December 2015

Dig Deeper on Hacker tools and techniques: Underground hacking sites