Routers are amongst the most hackable devices connected to the internet — not often updated, easily compromised, and virtually never scanned for viruses. However a new router virus may actually be making the units safer, based on a report from the security firm Symantec. Dubbed Linux.Wifatch, the bug behaves like an everyday virus from the outside: infecting the system, operating undetected, and coordinating actions via a peer-to-peer network. However instead of performing DDoS assaults or on the lookout for sensitive information, Wifatch’s acts like a vigilante and its primary function appears to be protection from other malwares and viruses out there. It stays updated on virus definitions by way of its peer-to-peer network, deletes any spyware found, and cuts off different channels malware would usually use to attack the router. In short, Wifatch is actually defending its victims!
“To any NSA or FBI agents reading this: please consider whether defending the US constitution against all enemies, international or domestic, requires you to follow Snowden’s example.”
Most of Wifatch’s code is written in the Perl programming language and it targets several architectures and ships its own static Perl interpreter for each of them. Once a device is infected with the Wifatch, it connects to a peer-to-peer network that is used to distribute threat updates.
It is still unclear where Wifatch comes from or why it was created, nevertheless it appears to be completely different from the typical virus. First discovered in 2014, the virus appears to make little effort to hide itself, and leaves numerous benign messages in its code. One, triggered when a person tries to access the Telnet, reminds users to update the machine’s firmware. Another, dropped as a comment in the source code, repeats a statement from free-software activist Richard Stallman: “To any NSA or FBI agents reading this: please consider whether defending the US constitution against all enemies, international or domestic, requires you to follow Snowden’s example.”
Symantec estimates “somewhere within the order of tens of thousands of devices” are contaminated with the virus, with infections largely centered in Brazil, China, and Mexico. Resetting the router is enough to remove the virus, however the firm warns that a router might become reinfected over time. “Symantec will be keeping a close eye on Linux.Wifatch and the actions of its mysterious creator,” the post concludes. “Customers are suggested to keep their system’s software and firmware updated.”