Dragon News

Dragon News

An inside look at the world of Team Cymru. Cybersecurity tools, tips, news and views.




Dragon News

Vigilante Malware, Dark Knight or Dangerous Joke?


It’s hard not to like the Batman story. Bruce Wayne, billionaire, playboy, philanthropist, bypasses the ineffectual and corrupt establishment to take the fight to the baddies. There’s something romantic about the notion of taking matters into your own hands and getting stuff done where others can’t.

Now, according to research by Symantec, it seems we have our very own virtual vigilante. Thousands of home routers and other devices have been found to be infected with the, seemingly benevolent, Linux.Wifatch malware.

Reports say that analysis of the code hasn’t revealed any modules linked to malicious activity. Quite the opposite, the malware actually applies security fixes. As a side note, what do we even call malware that doesn’t appear to be harmful? Benware?

Of course, it’s fairly common for attackers to close the hole they used to break into a system, so they can operate the compromised machine in peace, unhindered by other actors

In this case, however, there’s no evidence that the malware author has abused the access that they’ve gained. Wifatch isn’t even particularly quiet about its presence on a device. For example, once it kills a Telnet process, it displays a message containing helpful security advice on subsequent login attempts.

So, who is the coder behind the mask, and what are their intentions? We don’t know, and therein lies the problem.

In the Doctor Who episode “The Power of Three”, [spoiler alert, if you’re about two series behind] millions of cubes appear overnight across the planet. At first, the cubes seem completely inert, and eventually people come to accept them as handy paperweights and ornaments. Naturally, being Doctor Who, things don’t stay this way for long and the cubes are soon revealed to be part of an insidious invasion plot.

The point is, nothing can be taken at face value; things that appear to be benign, even good, especially things that appear to be good, have to be treated with some skepticism at first. That’s a pity, but it’s the truth.

Even if the original author’s intentions are honorable, it’s not impossible that the botnet could fall into less scrupulous hands in the future. The owners of infected devices did not opt into this “service”, for want of a better term, and are unlikely to take action should the news break that the network is now distributing dangerous updates.

In that case, one might argue that on balance the “victim” is no worse off, as their device would likely have been compromised via one of the patched attack vectors in the mean time anyway. We’re not even going to touch the topic of whether the paternalistic, it’s-for-their-own-good, attitude is a helpful one, that’s a whole other can of worms.

Leaving the philosophical discussions aside for a moment, there’s no avoiding the fact that unauthorized access to computer systems is, in most parts of the world, a crime. All the best of intentions doesn’t excuse an individual from complying with the law. Whatever anyone’s personal opinions of this guy/girl/group’s actions may be, that’s just how it is.

One hint to this actor’s motivations can be found in a comment placed in the Wifatch source code, which references Richard Stallman’s email signature. Directed at the FBI and NSA, making mention of the US constitution and Edward Snowden.

So perhaps the actor is American, and one can take a fair stab at their political leanings. Then again, they could have written anything in there. Without wanting to indulge in conspiracy theories, this could easily be a red-herring designed to throw us all off the scent, we’ll leave you to draw up your own lists of possibilities…

So what’s the moral of the story? Turn off Telnet and keep your devices up to date, can’t argue with that!

Need more malware info? Why not check out Team Cymru’s Malware Feeds.

Photo Credit, ‘Fruit bats’ by shellac, used under Creative Commons license 2.0