What if some secret, Internet vigilante was protecting PCs from threats? In a shroud of mystery, he would type out code in the middle of the night, a dark hoodie pulled over his face…
And load malware onto your router.
It may seem like the plot of a high-stakes thriller novel, but it’s a real-life scenario (minus, perhaps, the hoodie). The Internet security firm Symantec has reported code, named Wifatch, that attacks home routers. The twist?
Wifatch actively protects its victims from other forms of malware.
What is Wifatch?
Wifatch is a piece of code that connects routers to a peer-to-peer network of similarly infected devices. If that doesn’t sound familiar, review our post on botnet to learn about how an infection like this can turn your PC into a zombie.
The original detector of the code was an independent security researcher, L00t_myself, who noticed it on his own home router. Symantec has been following Wifatch for a while now, noting the following about the sophisticated code:
- It is written in the Perl programming language
- It targets following architectures: ARM (83%), MIPS (10%), and SH4 (7%)
- It connects infected devices to a peer-to-peer network
What’s especially odd is that router infections are generally secured for pretty evil reasons. But Wifatch hasn’t delivered any kind of payload…at least, not yet.
So far, it seems, Wifatch is actually protecting systems against malware.
Wifatch is…protecting you?
Wifatch is using this botnet of infected routers to distribute threat updates and remedy malware infections, instead of issuing DDoS attacks like you would expect.
What’s more, Symantec reports that the malware is trying to harden the infected devices. It even tells owners when to change passwords or update firmware. In a sense, Wifatch is fighting fire with fire – or malware with malware.
But the plot thickens. The creator of Wifatch reached out to Symantec, and was subsequently interviewed for their blog. He admits that while he has no malicious intentions, Wifatch could have an exploitable bug or someone could steal the key.
Can I trust you to not do evil things with my devices?
Yes, but that is of no help – somebody could steal the key, no matter how well I protect it. More likely, there is a bug in the code that allows access to anybody.
So ultimately, even if the creator of the code has good intentions, your PC is at risk for a malicious payload as a result of Wifatch.
The bottom line
While Wifatch is very interesting malware, it isn’t one you should be trying to contract. The reality is, a secure PC wouldn’t have Wifatch to begin with. You wouldn’t like it if a superhero was hiding in your house all the time just in case someone broke in. It’s still an invasion of your privacy, so Wifatch is ultimately malware.
Remember to have a secure anti-malware program and to create complex passwords. As the creator of Wifatch himself said:
Linux.Wifatch doesn’t use elaborate backdoors or 0day exploits to hack devices. It basically just uses telnet and a few other protocols and tries a few really dumb or default passwords (our favourite is “password”). These passwords are well-known – anybody can do that, without having to steal any secret key.
Basically it only infects devices that are not protected at all in the first place!
Have a great, vigilante-free day!

