Virus helps improve device security, says Symantec
Wifatch virus updates security of IoT devices, warns users to update passwords and firmware
A virus which appears to strengthen security of devices, rather than compromise them, has infected tens of thousands of IoT devices and home routers, according to Symantec.
The security firm said that the virus, named Linux.Wifatch, appears to be infecting devices and then automatically improving their security. Linux.Wifatch primarily has created an infected network of ARM architecture devices, such as connected devices and home routers, and is distributing threat updates and even issuing warnings to device owners to update their passwords.
Symantec said that the virus first came to light 2014, but after further analysis of samples captured by its honeypots, the company found a number of unusual behaviours.
Mario Ballano, senior security response engineer, Symantec wrote in a company blog post: "The further we dug into Wifatch's code the more we had the feeling that there was something unusual about this threat. For all intents and purposes, it appeared like the author was trying to secure infected devices instead of using them for malicious activities."
Once a device is infected with Wifatch, it will try to connect to a peer-to-peer network of infected devices, that is used to distribute threat updates. Symantec said it did not detect any malicious software being distributed by Wifatch, and that all of its hardcoded routines seem to have been implemented in order to harden compromised devices.
The virus will also try to prevent further access by killing the legitimate Telnet daemon, leaving a message to the device owner to change passwords and update the firmware. It also contains modules to remove other known malware infections from the device, particularly malware that targets embedded devices.
Wifatch even seems to take steps to implement other security methods, such as weekly reboots on devices including CCTV systems, which would kill malware that Wifatch would not otherwise be able to tackle. None of the source code has been encrypted, its code also includes debug messages for easier analysis, suggesting the author was not taking steps to hide the purpose of the code.
Ballano said that while no malicious actions had been detected on the Wifatch network, the code still opened a number of back doors onto devices, and that it could still be hiding some malignant purpose.
"There is no doubt that Linux.Wifatch is an interesting piece of code. Whether the author's intentions were to use their creation for the good of other IoT users-vigilante style-or whether their intentions were more malicious remains to be seen. What we do know is that it pays to be suspicious and, with this in mind, Symantec will be keeping a close eye on Linux.Wifatch and the activities of its mysterious creator," Ballano wrote.