Symantec discovers ‘benign’ malware
Cybersecurity company Symantec has discovered a type of malware that, at least at the moment, is used by its developer to close rather than exploit security holes in, for example, routers. It is estimated that tens of thousands of devices are infected.
According to Symantec, the malware, called Linux.Wifatch, mainly targets devices with weak security, such as routers and internet-of-things devices. Mainly the ARM architecture falls prey to Linux.Wifatch. The malware mainly gains access to these devices via telnet, and the brute-forcing of passwords. When a device is infected, it receives and distributes security updates to the infected devices that defend against other types of malware. Linux.Wifatch even disables the Telnet daemon to improve the security of a device.
Symantec first discovered the malware in 2014, but assumed it was a standard case; software used by a malicious person to steal data or spy on users. In April of this year, the bona fide behavior of the malware caught the eye. Since the company kept a close eye on Linux.Wifwatch, it has not been able to find any trace of malicious behavior. Based on that same surveillance, Symantec estimates that tens of thousands of devices are infected by the malware. The majority of those devices are located in China, Brazil, Mexico and India. The Benelux does not name the American company.
Symantec states that the creator of the malware has hardly tried to disguise the Perl source code. The source code even includes a quote from software freedom activist Richard Stallman, addressed to the NSA and FBI. For the users themselves, there is a message in the Telnet interface. Although Linux.Wifatch does not even have the payload on board to deploy the devices for, for example, a DDoS attack, Symantec continues to monitor the malware. It does contain backdoors that allow the maker to gain control over an infected device. When using that backdoor, cryptographic signatures are checked, which makes it unlikely that anyone other than the maker will take over the devices. Users can temporarily rid their devices of the malware by resetting a device, but without a software or firmware update and changing default passwords, the device can simply be re-infected.
Images: Symanteco