• Total Posts: 42232
  • Total Topics: 15535
  • Online Today: 1340
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Good Samaritan malware, known as Linux.Wifatch, protect ARM-based routers !?  (Read 5068 times)

0 Members and 1 Guest are viewing this topic.


  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum

Threat boffin Mario Ballano says VXers have broken into a host of routers creating a botnet dedicated solely to securing and hardening the devices.

The Symantec security man says the botnet first detected in November last year has not launched a single denial of service attack or undergone any form of black hat activity in the months it has been monitored:

Ballano says the Linux.Wifatch malware kills exposed Telnet services, preventing further attacks; destroys common embedded device malware; and leaves a text message that admins should change their passwords and update firmware.

"For all intents and purposes it appeared like the author was trying to secure infected devices instead of using them for malicious activities," Ballano says:

"Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices."

"We’ve been monitoring Wifatch’s peer-to-peer network for a number of months and have yet to observe any malicious actions being carried out through it."

The malware also contains an exploit for Dahua CCTV systems that reboots the devices weekly, in what appears to be an attempt to kill non-persistent malware infections.

Ballano says the VXer does not attempt to obfuscate the malware code and merely shrinks the file size.

Moreover the author has supplied handy commentary to assist researchers in debugging the malware.

The VXer appears to be a fan of Snowden and Stallman citing the latter Linux lover's letter within the malware code:

"To any NSA and FBI agents reading this: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden's example."

Ballano however still toes the anti-virus line and says the malware is still malicious code since it is an unauthorised intrusion and contains backdoors that could be used for black hat hacking.

Even still the backdoors rely on cryptographic signatures such that only commands from the authors command and control will be run.

Most infections are in ARM-based devices in China, Brazil, and Mexico and India.


Samker's Computer Forum -


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising