Today, I wanted to talk about an interesting article that I read about so-called "vigilante" malware. The full article was written by Symantec, and is available here. Allegedly, source code is available here, but I would take that with a grain of salt. The malware is dubbed Linux.Wifatch and has actually been around since 2014 (and maybe as early as 2013).
Linux.Wifatch targets weakly secured embedded devices running Linux (such as home routers) and takes steps to make them "more secure" by doing things such as:
- Disabling telnet and telling anyone who tries to log in via Telnet that they need to update the firmware on the device
- Connecting to a botnet that distributes updates information about threats, presumably to be able to put up rudimentary defenses to common attacks.
- Attempts to remediate malware on the device.
Another question I have concerns how secure the software is. What is to stop someone from hijacking the command and control channel for the botnet or some other vulnerability in the software? The article mentions that connections to backdoors opened by the device are verified with cryptographic signatures (probably through use of a specific key). However, it is not clear how secure the keys are or the security of the other software in the suite or of the device itself. Weak credentials might not be the only issue.
The interesting thing about this malware is that it bends the rules of what malware is "supposed" to be. The name malware is a portmanteau of malicious and software. Malware is typically installed unbeknownst to the user. This is one of the aspects of its malicious nature (the other being the fact that it subjects the device to the malware author's intentions which are usually not for the benefit of the user). Is software with good intentions that is installed without the system owner's knowledge or permission still malware?
Let's pretend for a bit that the author of Linux.Wifatch's claims are legitimate and he is really trying to make these devices more secure (even if only a little bit). On their face, the intentions of this software are admirable. It is trying to make a device secure when its owner has neglected to take basic steps to secure it. However, there is an old saying: "The road to hell is paved with good intentions." Wifatch is not doing anything to address the underlying problem, and I do not believe it can. The underlying problem is that the owner of the device is not knowledgeable about basic device security measures. I realize that might sound a bit harsh, but with security threats being so commonplace, I do not believe people can afford to be ignorant of them any more. I am not saying everyone should become security experts, but I hope that people in general become more aware of their security vulnerabilities and take even the smallest steps to mitigate them.
For example, one way that manufacturers could do this would be to redirect a user to a router configuration page hosted on the router when they first try to access the Internet (or the device) that walks the user through changing their password and telling the device the (secure) ways that they want to administer it (HTTPS or SSH). In order to make the page somewhat phish-resistant, I would implement something where a special string is embedded in the device's ROM and printed on the outside of the device or on the box. When the page is accessed, it would tell the user to verify that string and only continue if the string on the screen matches the string physically printed on the device or box. After the initial setup process is complete, the page should be wiped out so that it cannot be accessed again. It is like a safety seal for your router.
I think that despite its intentions, Wifatch is still malicious but not in the "malware" sense. I think it is not helping the owner of the device as much as the author thinks it is. I think it would have been better if the software forced the device owner's hand through education.
What are your thoughts? What do you think about Wifatch - is it malware or angelware? Let me know in the comments or via e-mail.