Vigilante "Malware"?

Hey everyone - I guess I could not stay away.  I will try to post something new when I can, but I do not want to sacrifice quality just to get something out.  I will try my best to post every week or every other week.

Today, I wanted to talk about an interesting article that I read about so-called "vigilante" malware.  The full article was written by Symantec, and is available here.  Allegedly, source code is available here, but I would take that with a grain of salt.   The malware is dubbed Linux.Wifatch and has actually been around since 2014 (and maybe as early as 2013).

Linux.Wifatch targets weakly secured embedded devices running Linux (such as home routers) and takes steps to make them "more secure" by doing things such as:

• Disabling telnet and telling anyone who tries to log in via Telnet that they need to update the firmware on the device
• Connecting to a botnet that distributes updates information about threats, presumably to be able to put up rudimentary defenses to common attacks.
• Attempts to remediate malware on the device.

It is a bit curious that the software would only block telnet.  Many internet of things (IoT) devices have web interfaces that the owner is more likely to use to administer the device, rather than telnet.  For one, the telnet client is not enabled by default on newer versions of Windows, so many users likely do not have a way to use telnet installed.  If the software's author wanted to get a message across to the owner, a better vector would have been the web pages used to administer the device.  To be fair, this would require having a database on the configurations of various devices because the webpages and web servers on different devices are different.

Another question I have concerns how secure the software is.  What is to stop someone from hijacking the command and control channel for the botnet or some other vulnerability in the software?  The article mentions that connections to backdoors opened by the device are verified with cryptographic signatures (probably through use of a specific key).  However, it is not clear how secure the keys are or the security of the other software in the suite or of the device itself.  Weak credentials might not be the only issue.

The interesting thing about this malware is that it bends the rules of what malware is "supposed" to be.  The name malware is a portmanteau of malicious and software.  Malware is typically installed unbeknownst to the user.  This is one of the aspects of its malicious nature (the other being the fact that it subjects the device to the malware author's intentions which are usually not for the benefit of the user). Is software with good intentions that is installed without the system owner's knowledge or permission still malware?

Let's pretend for a bit that the author of Linux.Wifatch's claims are legitimate and he is really trying to make these devices more secure (even if only a little bit).  On their face, the intentions of this software are admirable.  It is trying to make a device secure when its owner has neglected to take basic steps to secure it.  However, there is an old saying: "The road to hell is paved with good intentions."  Wifatch is not doing anything to address the underlying problem, and I do not believe it can.  The underlying problem is that the owner of the device is not knowledgeable about basic device security measures.  I realize that might sound a bit harsh, but with security threats being so commonplace, I do not believe people can afford to be ignorant of them any more.  I am not saying everyone should become security experts, but I hope that people in general become more aware of their security vulnerabilities and take even the smallest steps to mitigate them.

For example, one way that manufacturers could do this would be to redirect a user to a router configuration page hosted on the router when they first try to access the Internet (or the device) that walks the user through changing their password and telling the device the (secure) ways that they want to administer it (HTTPS or SSH).  In order to make the page somewhat phish-resistant, I would implement something where a special string is embedded in the device's ROM and printed on the outside of the device or on the box.  When the page is accessed, it would tell the user to verify that string and only continue if the string on the screen matches the string physically printed on the device or box. After the initial setup process is complete, the page should be wiped out so that it cannot be accessed again.  It is like a safety seal for your router.

I think that despite its intentions, Wifatch is still malicious but not in the "malware" sense.  I think it is not helping the owner of the device as much as the author thinks it is.  I think it would have been better if the software forced the device owner's hand through education.

What are your thoughts?  What do you think about Wifatch - is it malware or angelware?  Let me know in the comments or via e-mail.