Vigilante Malware Protects Routers Against Other Security Threats

← Back to Stories (view on slashdot.org)

Vigilante Malware Protects Routers Against Other Security Threats

Posted by Soulskill on Friday October 2, 2015 @08:12AM from the cybersecurity-gets-weird dept.

Mickeycaskill writes: Researchers at Symantec have documented a piece of malware that infects routers and other connected devices, but instead of harming them, improves their security. Affected routers connect to a peer-to-peer network with other compromised devices, to distribute threat updates. 'Linux.Wifatch' makes no attempt to conceal itself and even left messages for users, urging them to change their passwords and update their firmware. Symantec estimates 'tens of thousands' of devices are affected and warns that despite Wifatch's seemingly philanthropic intentions, it should be treated with caution.

"It should be made clear that Linux.Wifatch is a piece of code that infects a device without user consent and in that regard is the same as any other piece of malware," said Symantec. "It should also be pointed out that Wifatch contains a number of general-purpose back doors that can be used by the author to carry out potentially malicious actions." There is one simple solution to rid yourself of the malware though: reset your device

60 of 79 comments (clear)

Min score:

Reason:

Sort:

Misnomer by Anonymous Coward · 2015-10-02 08:15 · Score: 2

I would call that palware and not malware.
1. Re:Misnomer by KatchooNJ · 2015-10-02 08:17 · Score: 1
  
  Is that greyhat?
  
  --
  "Never give up, for that is just the time and place when the tide will change." -Harriet Beecher Stowe ^_^
2. Re:Misnomer by Anonymous Coward · 2015-10-02 08:24 · Score: 4, Insightful
  
  No. It's whitehat.
  If you're dumber than a sack of hammers and never update your router to fix security problems with its firmware, then this worm (not malware, just a software worm) fixes it for you to prevent some other exploit from doing far, far worse.
  Grayhat is when it also MITM's your https sessions to steal financial details.
  Admittedly, we don't know if this particular worm is whitehat or grayhat yet. We do know for certain that it isn't pure blackhat. And that was pretty much what Symantec said, but in srsbsnss corporate terms.
3. Re:Misnomer by TWX · 2015-10-02 09:02 · Score: 3, Informative
  
  I need proof that it effectively removes or disables itself once it's on there and has no possibility of later command-and-control and could not be directly co-opted by someone with bad intentions before I would call it white-hat. History is loaded with examples where someone or something appeared altruistic but turned out to be sinister in the end.
  
  --
  Do not look into laser with remaining eye.
4. Re:Misnomer by camperdave · 2015-10-02 09:13 · Score: 1
  
  If it's got backdoors, it's no longer whitehat.
  
  --
  When our name is on the back of your car, we're behind you all the way!
5. Re:Misnomer by Anonymous Coward · 2015-10-02 10:09 · Score: 1
  
  If it's got backdoors, it's no longer whitehat.
  false.
  a whitehat could be anticipating that more white intervention might be necessary at some point in the future. it's not clear, but it's not clear that it's white hat. it is clear that your statement is false, however.
  it's opaque hat, or shadow hat.
6. Re: Misnomer by bmcraec · 2015-10-02 12:53 · Score: 1
  
  Symantec would just hate the possibility of a free and better protection introducing itself into their marketplace. They've been coining it for a long time on threat awareness and creation.
  
  --
  "Sufficiently complicated financial instruments are indistinguishable from fraud." --bmcraec
7. Re:Misnomer by Irate+Engineer · 2015-10-02 13:03 · Score: 1
  
  Is that greyhat?
  No, it's asshat.
  
  --
  Left MS Windows for Linux Mint and never looked back!
  Vote for Bernie in 2016!
8. Re:Misnomer by fredgiblet · 2015-10-02 19:58 · Score: 2
  
  Nope, Microsoft released a version for Windows called Windows 10 though.
How is it malware then? by hyperar · 2015-10-02 08:17 · Score: 5, Insightful

Is doing good things, that's not malware.
1. Re:How is it malware then? by Anonymous Coward · 2015-10-02 08:30 · Score: 4, Informative
  
  "It should also be pointed out that Wifatch contains a number of general-purpose back doors that can be used by the author to carry out potentially malicious actions."
  Patching systems or not, creating new backdoors really doesn't make it "doing good things."
2. Re:How is it malware then? by future+assassin · 2015-10-02 08:41 · Score: 1
  
  its GoodyTooShoesWare aka GTSW
  
  --
  by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
3. Re:How is it malware then? by OzPeter · 2015-10-02 08:44 · Score: 4, Insightful
  
  Is doing good things, that's not malware.
  If I walk into your house through the unlocked front door while you are not home, does it protect me from trespassing charges if while I am there I made your bed and did your dishes?
  
  --
  I am Slashdot. Are you Slashdot as well?
4. Re:How is it malware then? by trollingaround · 2015-10-02 08:54 · Score: 1
  
  Is doing good things, that's not malware.
  If I walk into your house through the unlocked front door while you are not home, does it protect me from trespassing charges if while I am there I made your bed and did your dishes?
  Like this woman: http://newsfeed.time.com/2012/...
  Except she was asking for money after cleaning the house.
5. Re:How is it malware then? by Krishnoid · 2015-10-02 08:55 · Score: 4, Funny
  
  Exactly how many dishes and how long have they been sitting in the sink?
6. Re:How is it malware then? by rahvin112 · 2015-10-02 08:58 · Score: 1
  
  Are you offering to make my bed and do my dishes if I leave my door unlocked?
7. Re:How is it malware then? by Minwee · 2015-10-02 09:02 · Score: 2
  
  How do you know that it's doing good things?
  And even if it did good things for someone else, how would you know that it was still doing good things by the time it hit your router?
8. Re:How is it malware then? by Minwee · 2015-10-02 09:04 · Score: 3, Funny
  
  Sure thing. Just post your address here along with the times when you will be out of the house with the doors unlocked and I assure you that everything will be cleaned out by the end of the day.
  Up. I meant up. You can totally trust me on that. Have I ever lied to you before?
9. Re:How is it malware then? by circletimessquare · 2015-10-02 09:04 · Score: 1
  
  i'm going to break into your house
  but it's ok, i just want to wash your dishes
  you don't know me at all. i'm an inexplicable weirdo who breaks into people's houses and does their dishes. but you're good with me being in your house downstairs while you sleep, and me doing that. doesn't bother you at all. right?
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
10. Re:How is it malware then? by trollingaround · 2015-10-02 09:16 · Score: 1
  
  Isn't it more like finding the door of your home open and getting in to make sure no thief will take advantage of it until you come home?
11. Re:How is it malware then? by OzPeter · 2015-10-02 09:19 · Score: 1
  
  Isn't it more like finding the door of your home open and getting in
  And you have permission to be inside?
  
  --
  I am Slashdot. Are you Slashdot as well?
12. Re:How is it malware then? by trollingaround · 2015-10-02 09:22 · Score: 1
  
  Isn't it more like finding the door of your home open and getting in
  And you have permission to be inside?
  I am not arguing it is lawful. I am just saying it is a better analogy. That's all.
13. Re:How is it malware then? by OzPeter · 2015-10-02 09:24 · Score: 1
  
  I am not arguing it is lawful. I am just saying it is a better analogy. That's all.
  It's the entrance that is the point in question, not what you do once you are inside.
  
  --
  I am Slashdot. Are you Slashdot as well?
14. Re:How is it malware then? by rahvin112 · 2015-10-02 10:10 · Score: 1
  
  Let me just get that written down, while I'm working on that let me assure you that the two large dogs that greet you at the door with barking and scratching at the door are not at all violent and the growling and salivating is simply an emotional response to their love of human contact. Feel free to enter without fear and rumors or signs indicating that they have been trained as attack dogs are simply to scare away intruders and I can guarantee that you won't be attacked and have your throat ripped out.
15. Re:How is it malware then? by Irate+Engineer · 2015-10-02 10:18 · Score: 2
  
  What a deal! My address is One Schroeder Plaza, Boston, MA 02120. I won't be around for a while, but you can go right in any time day or night.
  Bring doughnuts
  
  --
  Left MS Windows for Linux Mint and never looked back!
  Vote for Bernie in 2016!
16. Re:How is it malware then? by circletimessquare · 2015-10-02 10:45 · Score: 1
  
  your argument works for government intrusion too: hey, the nsa is just sticking it's nose in and without your permission monitoring all of your personal private electronic communications. why? to keep you safe. oh that's nice!
  so it's ok, right? no? but that's the same fucking argument you're making
  the real bottom line:
  someone you don't know and do not trust is transgressing your personal property and your privacy, you thick fuck
  never acceptable, no matter what their agenda. because you did not grant them permission
  where do you social retards come from? an elementary school kid can get this
  
  --
  intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
17. Re:How is it malware then? by dissy · 2015-10-02 11:07 · Score: 1
  
  Is doing good things, that's not malware.
  If I walk into your house through the unlocked front door while you are not home, does it protect me from trespassing charges if while I am there I made your bed and did your dishes?
  In that case, just because I can call you a tresspasser, doesn't mean it is proper to also call you a bed-messer-upper or a dish-dirtier.
  Malware is software that harms you. This is not malware. No one said it wasn't an infection, or a virus if you prefer, because that it certainly is.
18. Re: How is it malware then? by rahvin112 · 2015-10-02 14:47 · Score: 1
  
  Never encountered a properly trained dog have you?
19. Re:How is it malware then? by Christian+Smith · 2015-10-04 12:03 · Score: 1
  
  Isn't it more like finding the door of your home open and getting in
  And you have permission to be inside?
  It's more like finding a house with an open door, and smelling gas coming from inside, a potential hazard for the house and everyone else around.
  Or, an even better analogy, finding a car that is open, or already with thieves inside, and closing the door having previously chased the thieves away.
  Oh, and leaving a note about what you did and that you should get your locks checked or changed.
Finally! by Lab+Rat+Jason · 2015-10-02 08:19 · Score: 4, Insightful

This. Is. Awesome!
Finally someone has decided to return to the roots of hacking... making something change just to see the change happen!

--
Which has more power: the hammer, or the anvil?
Mixed feelings.. by s.petry · 2015-10-02 08:27 · Score: 1

I am not sure I agree with this fully. The webcam site which shows all the cameras with default settings I don't take issue with, because it's not doing anything special or malicious to access the camera. In this case, they are doing more than uploading software by using a default password. The original good intention can easily become something bad. You can check history on that last one if you have doubts.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Let it be christen by megavlad · 2015-10-02 08:31 · Score: 2

This type of virus-like good-guy software shall hereby be known as: Rogueware

Rogueware: A stealth cyber agent which defends crapware.
1. Re:Let it be christen by bob_super · 2015-10-02 08:54 · Score: 1
  
  Does it install tights on the system?
2. Re:Let it be christen by Art3x · 2015-10-02 09:06 · Score: 1
  
  I'm Batware.
Where do I sign up ... by CaptainDork · 2015-10-02 08:34 · Score: 1

... to get this malware?

--
It little behooves the best of us to comment on the rest of us.
1. Re:Where do I sign up ... by KGIII · 2015-10-02 08:56 · Score: 1
  
  You could just patch your router yourself and save everyone the hassle of needing/wanting to author malware (and anything that changes code without permission is malware regardless of intent).
  
  --
  "So long and thanks for all the fish."
2. Re:Where do I sign up ... by bmo · 2015-10-02 09:52 · Score: 1
  
  I would rather have something that auto-updates for me.
  If this was merely a worm (it's not malware) that did a one-time-patch and went on its way, that isn't as useful as something that keeps itself updated and fetches useful router kernel patch upgrades by itself on a regular basis.
  I already do this in my desktop Linux systems. Why can't I have it in my DSL modem/router? (yes, DSL. Fairpoint sucks.)
  --
  BMO
Symantec infects a device with a user's consent. by tlambert · 2015-10-02 08:34 · Score: 4, Informative

It should be made clear that Symantec is a piece of code that infects a device /with/ user consent and in that regard is the same as any other piece of malware that is installed via a phishing attack.
jailbreakme.com by tlambert · 2015-10-02 08:35 · Score: 4, Informative

The original iPhone jailbreaking site, "jailbreakme.com", used the tiff library exploit to install the installer, and then patched the tiff exploit behind itself to prevent it being used for any other (nefarious) purpose, so this type of thing is not a unique or even new idea.
1. Re:jailbreakme.com by OzPeter · 2015-10-02 08:52 · Score: 1
  
  Viruses that fix things weren't even a new idea when the iPhone was being jailbroken.
  
  --
  I am Slashdot. Are you Slashdot as well?
2. Re:jailbreakme.com by Amouth · 2015-10-02 12:04 · Score: 1
  
  anyone remember "Code Red" and "Code Green"? that was a fun month
  
  --
  '...if only "Jumping to a Conclusion" was an event in the Olympics.'
In that respect by hackwrench · 2015-10-02 08:35 · Score: 1

Useful software runs on computers and in that respect is no different than malware.
Interesting by xenotransplant · 2015-10-02 08:42 · Score: 1

IIrc there are some other infections that do this sort of thing ie removing other threats/blocking other malware infections. I think one of them was the TDSS rk. And by doing so it evaded behavioral and real time scanners as it was seen as just another security service.
Re:Symantec infects a device with a user's consent by Anonymous Coward · 2015-10-02 08:46 · Score: 1

Symantec didn't get my consent when they infected my brand new computer with their anti-virus bloatware. Where is an anti-norton virus when you need one?
Seems like a good idea by Timmy+D+Programmer · 2015-10-02 08:54 · Score: 1

Too many vulnerable routers without patches available. If someone came up with a way to plug the vulnerability by exploiting it, Kudos. I say leave it there unless you CAN patch it, then do that instead. If they later abuse it, then reset your router.

--

(If at first you don't succeed, do it different next time!)
Welchia, the 2003 "helpful worm" by by+(1706743) · 2015-10-02 08:55 · Score: 1

The Welchia worm, also known as the "Nachia worm", is a computer worm that exploits a vulnerability in the Microsoft Remote procedure call (RPC) service similar to the Blaster worm. However, unlike Blaster, it first searches for and deletes Blaster if it exists, then tries to download and install security patches from Microsoft that would prevent further infection by Blaster, so it is classified as a helpful worm.
https://en.wikipedia.org/wiki/...
defend the IO tower! by Thud457 · 2015-10-02 09:00 · Score: 2

His name is TRON, he fights for the Users.

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Fixing vulnerabilities is pretty common in malware by DougOtto · 2015-10-02 09:02 · Score: 3, Interesting

Lots of malware actually does close security holes, after exploiting the device. If you've worked very hard (or shelled out large amounts of case) for a working zero day, the last thing you want is some other asshole compromising your hacked system and screwing up your back door.

--
Solving Unix problems since 1989...
Hmmmmm by JustAnotherOldGuy · 2015-10-02 09:07 · Score: 2

This....makes me uneasy.
It appears to be benign (or even helpful) but this is a slippery slope...and I can see all sorts of things that can go wrong here.
I want to root for the good guys here (pun intended, heh!) but I don't know...anything that fiddles with my PC or server without my explicit, informed consent and permission just doesn't sit well with me.
It sort of reminds me of the viruses that infect your PC and then disable any competing viruses it finds, so it has your PC all to itself. It doesn't do it for benevolent reasons, it does it because it's greedy and doesn't want to share.
So I dunno. I can't say as I like it, and I can't say as I don't. Major conflicted feelings here.

--
Just cruising through this digital world at 33 1/3 rpm...
1. Re:Hmmmmm by phantomfive · 2015-10-02 19:13 · Score: 1
  
  Think of how upset people get when Microsoft updates things without permission.
  Same thing here, except with less QA.
  
  --
  "First they came for the slanderers and i said nothing."
RobinHoodware by cryptogranny · 2015-10-02 09:08 · Score: 1

Symantec don't like it because who will buy the anitivirus if the RobinHoodware would spread.
Batman by faldore · 2015-10-02 09:21 · Score: 1

Batman learned to code!
1. Re:Batman by RavenLrD20k · 2015-10-06 08:28 · Score: 1
  
  Seriously, who else did he have to program that huge Mainframe/Supercomputer he keeps in his basement? With all his trust issues, I highly doubt he'd be using any Kernel that he didn't develop himself from scratch. Also, he's gotta have some kind of mad hacking/networking skills to be able to pull data off of GCPD and Fed DB's without ever getting detected. All the infrastructure was in place long before anyone else joined the team, save Alfred. Maybe some help from Lucius, but I still wouldn't that much trust in anyone else if I were in his shoes and just as paranoid about my identity.
i just really wanted to say by rewindustry · 2015-10-02 09:43 · Score: 1

well done, and thank you, to whoever did this - great work, more please.
It's an inevitability. by eyenot · 2015-10-02 11:54 · Score: 1

How many man hours are wasted pen testing or setting up security just so that client after client can fail to remain compliant as time goes by?
How many billions of dollars are wasted every year by large corporations failing to secure their data?
Why not just start writing viruses that go out, patch vulnerabilities, throw a middle finger and erase / kill process?
Target the weakest link and do something about it. In fact I feel if a company is "caught" doing this it shouldn't even be considered illegal. This should be considered the future of anti-malware.
Today I was helping a computer illiterate classmate set up some engineering software, and to make idle chat I tried to explain to her Moore's law. And I had to add the caveat that some people felt Moore's law was breaking down.
And I said, what we need today is to focus not on how recklessly we can double computing power but how responsibly we can mitigate threat. And if you follow any of the bevy of pen testers with twitter accounts you'll read long, long lists of newly discovered vulnerabilities every day, many of them quite sweat-inspiring.
There should be a new "law" that describes the increase of threats across some variable like time, or complexity, or something like that.
Anyways the future of anti-malware is likely to be "vigilante ware" whether we like it or not. Some body will get it up their ass to write things like this that don't come with catches like back doors or other worries, and will just start distributing them as 0-day attacks.
With thousands of new pen testers and potential malware authors trained every year, I don't see how the millionth monkey effect can be avoided.
I see people here posting analogies about breaking into your house and doing your dishes. That's fine but this malware is an easy target because of the back doors.
What if you came home and that ugly dirt patch surrounded with paving stones along the front of your house (what the hell is that thing) had been planted with an appropriate selection of flowers to match your "paint"? How are you even going to pursue charges? Who would you be capable of getting interested in finding out whodunit? Probably nobody.
Eventually vigilante ware will be everywhere and I doubt anybody's going to get all that upset about it.
And no, this is not a manifesto.

--
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
code that infects a device without user consent by atrimtab · 2015-10-02 12:26 · Score: 1

just like Microsoft Windows!?

--
Facebook is billions of individual "Skinner Boxes." And if you use it you are the pigeon!
Vigilante better than nothing? by iamacat · 2015-10-02 13:14 · Score: 1

Nobody prefers vigilante anything to doing things the right way. The question is, would these devices be realistically fixed over time, or just left open and exploited? If the later, maybe vigilante fix is better than no fix. If I left my door unlocked in a seedy neighborhood, I would rather somebody came and locked it for me than come back and find my house burglarized. The entry point for this thing is simply telnet with default username/password. There is little doubt that chances of malicious exploit are high and owners are not technologically savvy enough to fix the device by themselves even if there was some way to warn them.
Re: Symantec infects a device with a user's consen by tlambert · 2015-10-02 18:25 · Score: 1

Yes they did. It says right on the box that the computer comes with it. You accepted it by buying it.
Your argument is like saying you didn't consent to cancer when you bought and smoked cigarettes.
A better analogy would be "he consented with cancer when he was born with a defective p53 gene on his c17".
By the way: shrink wrap licenses are not valid in all jurisdictions.
Some additional info... by Aryeh+Goretsky · 2015-10-02 23:28 · Score: 1

Hello,

For more information about this malware(ish) campaign, I would refer you to Peter Kosinar's talk at AVAR 2014: Stealing the Internet, One Router at a Time">. Disclaimer: Peter is a friend of mine.
Regards,

Aryeh Goretsky

--
Dexter is a good dog.
wifatch source code on gitlab by wifatch · 2015-10-05 04:54 · Score: 1

The source code apparently has been released on http://gitlab.com/rav7teif/lin...