[See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/324647414](https://www.researchgate.net/publication/324647414_Wifatch_Atypical_Malware?enrichId=rgreq-388ebff4ee2b0fed85a29a92f68f1f60-XXX&enrichSource=Y292ZXJQYWdlOzMyNDY0NzQxNDtBUzo2MTc0MDkzOTYzNjMyNzFAMTUyNDIxMzI3OTkzMQ%3D%3D&el=1_x_2&_esc=publicationCoverPdf) ### Wifatch: Atypical Malware **Technical Report · April 2018** DOI: 10.13140/RG.2.2.27854.77123 CITATION 1 **2 authors:** [Nur Syazana Mohd. Adi Firdaus Tan](https://www.researchgate.net/profile/Nur-Syazana-Mohd-Adi-Firdaus-Tan?enrichId=rgreq-388ebff4ee2b0fed85a29a92f68f1f60-XXX&enrichSource=Y292ZXJQYWdlOzMyNDY0NzQxNDtBUzo2MTc0MDkzOTYzNjMyNzFAMTUyNDIxMzI3OTkzMQ%3D%3D&el=1_x_5&_esc=publicationCoverPdf) [Universiti Sains Malaysia](https://www.researchgate.net/institution/Universiti-Sains-Malaysia?enrichId=rgreq-388ebff4ee2b0fed85a29a92f68f1f60-XXX&enrichSource=Y292ZXJQYWdlOzMyNDY0NzQxNDtBUzo2MTc0MDkzOTYzNjMyNzFAMTUyNDIxMzI3OTkzMQ%3D%3D&el=1_x_6&_esc=publicationCoverPdf) **1** PUBLICATION **1** CITATION READS 347 [Selvakumar Manickam](https://www.researchgate.net/profile/Selvakumar-Manickam?enrichId=rgreq-388ebff4ee2b0fed85a29a92f68f1f60-XXX&enrichSource=Y292ZXJQYWdlOzMyNDY0NzQxNDtBUzo2MTc0MDkzOTYzNjMyNzFAMTUyNDIxMzI3OTkzMQ%3D%3D&el=1_x_5&_esc=publicationCoverPdf) [Universiti Sains Malaysia](https://www.researchgate.net/institution/Universiti-Sains-Malaysia?enrichId=rgreq-388ebff4ee2b0fed85a29a92f68f1f60-XXX&enrichSource=Y292ZXJQYWdlOzMyNDY0NzQxNDtBUzo2MTc0MDkzOTYzNjMyNzFAMTUyNDIxMzI3OTkzMQ%3D%3D&el=1_x_6&_esc=publicationCoverPdf) **272** PUBLICATIONS **1,787** CITATIONS [SEE PROFILE](https://www.researchgate.net/profile/Nur-Syazana-Mohd-Adi-Firdaus-Tan?enrichId=rgreq-388ebff4ee2b0fed85a29a92f68f1f60-XXX&enrichSource=Y292ZXJQYWdlOzMyNDY0NzQxNDtBUzo2MTc0MDkzOTYzNjMyNzFAMTUyNDIxMzI3OTkzMQ%3D%3D&el=1_x_7&_esc=publicationCoverPdf) [SEE PROFILE](https://www.researchgate.net/profile/Selvakumar-Manickam?enrichId=rgreq-388ebff4ee2b0fed85a29a92f68f1f60-XXX&enrichSource=Y292ZXJQYWdlOzMyNDY0NzQxNDtBUzo2MTc0MDkzOTYzNjMyNzFAMTUyNDIxMzI3OTkzMQ%3D%3D&el=1_x_7&_esc=publicationCoverPdf) **Some of the authors of this publication are also working on these related projects:** Dynamic Evolving Cauchy possibilistic clustering based on the self-similarity principle (DECS) for Enhancing Intrusion Detection System [View project](https://www.researchgate.net/project/Dynamic-Evolving-Cauchy-possibilistic-clustering-based-on-the-self-similarity-principle-DECS-for-Enhancing-Intrusion-Detection-System?enrichId=rgreq-388ebff4ee2b0fed85a29a92f68f1f60-XXX&enrichSource=Y292ZXJQYWdlOzMyNDY0NzQxNDtBUzo2MTc0MDkzOTYzNjMyNzFAMTUyNDIxMzI3OTkzMQ%3D%3D&el=1_x_9&_esc=publicationCoverPdf) An Enhancement of Security Mechanism in IPv6 Internet Protocol [View project](https://www.researchgate.net/project/An-Enhancement-of-Security-Mechanism-in-IPv6-Internet-Protocol?enrichId=rgreq-388ebff4ee2b0fed85a29a92f68f1f60-XXX&enrichSource=Y292ZXJQYWdlOzMyNDY0NzQxNDtBUzo2MTc0MDkzOTYzNjMyNzFAMTUyNDIxMzI3OTkzMQ%3D%3D&el=1_x_9&_esc=publicationCoverPdf) ----- # Wifatch: Atypical Malware ## More Good Than Harm? #### Nur Syazana bt. Mohd. Adi Firdaus Tan Dr. Selvakumar Manickam National Advanced IPV6 Centre National Advanced IPV6 Centre Universiti Sains Malaysia (USM) Universiti Sains Malaysia (USM) Penang, Malaysia Penang, Malaysia SyazanaTan.student@usm.my selva@usm.my **_Abstract—This paper encompasses the review of the malware_** setting up honeypots in efforts to collect samples of this **Wifatch that was discovered in 2014, how it has impacted** embedded device targeted malware. Generally, home routers **Internet of Things (IoT) devices, how it has changed the typical** are often used by cyber criminals to perform acts such as **perception of malware having a malicious nature, and what has** Distributed Denial of Service (DDoS) attacks. Unsuspecting **been revealed in its role in security.** users would not have noticed the difference as it tends to go unnoticed as how other infections are [6]. **_Keywords—Malware; Linux; Symantec; Internet of Things;_** **_P2P._** Unlike other malwares, this particular subject is dubbed as the “vigilante” of its kind. This is due to the fact that it serves I. INTRODUCTION one purpose – to protect the devices that it infects. By According to Fisher (2018), the composition of the word identifying weak, or unchanged passwords through hacking “malware” originates from the combination of “malicious”, and Telnet, and other protocols. It would then disable Telnet after “software”. It is used to depict the nature of software that is scanning for known malwares in the device to avoid further created with ill intentions such as intrusion of permission on a infections. Although there is potential in misusing the computer to steal personal information through the usage of a backdoor created by Wifatch, it was never put into use for backdoor. Software that behaves in such a way that it wasn’t anything of sorts – which leads to experts believing that it was intended to could also be classified as a malware [1]. They part of the “IoT vigilantes” effort in securing devices that were exist in forms such as rootkits, spyware, Trojans, adwares, at risk [7]. viruses, and worms – all of which are used to complete tasks such as stealing data that are protected, deleting, or even adding software without the user’s approval, or III. IMPACT ON IOT acknowledgement [2]. It has been reported that there were speculations whereby In a modernized world, the need for a globalized devices, Wifatch was created in attempts to fend against surveillance by and network of machines that are capable of interacting with governmental agencies – for instance, National Security one another is the basis of Internet of Things – which is also Agency (NSA). A comment left in the piece of code quoted known as Internet of Everything. In simpler terms, IoT is from Richard Stallman in this malware hints on defending defined as devices that are linked to the Internet, and are constitutional rights of the people. Knowing the nature of how equipped with sensors, and actuators [3] [4]. home routers could be used as a medium to spread updates without acknowledgement from the user – this malware will By infiltrating a vulnerable Telnet authentication, Wifatch urge the device’s owner to make use of stronger passwords, uses a backdoor through routers at home to communicate with aside from updating the current firmware as such ignorance a Command & Control (C&C) server. What makes it unique is could lead to future mishaps. In order to “prevent” certain that although it is classified as a malware, it acts a guard devices such as the CCTV (of which Wifatch is unable to against other forms of infection without any malicious intent to “protect” against other malwares), it was designed to reboot the its host – hence, it is categorized as a white – hat Trojan [5]. system after a certain period of time - taking advantage of the fact that malwares in embedded systems are not as persistent, and that a reinstallation must take place for them to take effect. II. THE DISCOVERY Although it is concerning, the researchers have found that the In 2014, an unusual activity was detected on a home router commands that were passed through the backdoor were by an independent security researcher in which the process cryptographically signed. In other words, this indicates that was not part of the original device’s software. Upon further only the original author would be able to control what it does. investigation, an intricate, and sophisticated code - designed in In turn, this cuts the chances of the said malware of being Perl - was discovered that had caused the router to manipulated by malicious hijackers. Interestingly enough, the involuntarily connect to other infected network of peer – to – Internet is claimed to be at a safer state – all thanks to Wifatch peer devices. This was further investigated by Symantec by [8][9]. ----- IV. THE GOOD AND THE BAD Known for its “good” intentions”, Symantec’s Mario Ballano made a point that it could be manipulated to inflict detrimental damage at any given time through its general – purpose back doors. It is still regarded as a malware since it infects the device without the user’s consent. Relying on a malware to “guard” one’s system would not exactly be a wise choice, and thus it is still placed under careful watch [10]. The positives gained from Wifatch’s release: - For educational purposes, and to encourage learning. This is supported by the fact that the Perl code was not obscure, and that the creator was not concerned of having it being inspected, nor shared. The source code was only compressed, and minified. Released version of it did not contain the private key, selected parts of the C&C, and infection code to prevent misuse [7]. - To promote better understanding in the need to heighten security measures. If in the wrong hands, the botnets are able to carry out DDoS attacks through the infected routers. Hence, it raises the issue in the importance of addressing default security configurations before it is taken advantage of. - Increasing security in general. - Counteracting against illegal mining of Bitcoin. - Saving bandwidth by cancelling out other malware scans. - Reduces interruption of service, reboots, and overheat of device. - Saving credentials from being stolen. It is noted that the creation, and spread of the malware is originally caused by the neglect of the user themselves: - Leaving default security configurations, and passwords. - Lack of concern, and awareness among users. - Poor habit, and encouragement by Internet Service Providers (ISP) to retain original credentials for easier maintenance. - Insecure Telnet protocol. V. BACKGROUND Inspired by Carna botnet, the idea of Wifatch was to challenge the idea of not being able to create something of similar sorts whereby it challenges the existing security level of embedded devices. It is considered to be “virtually nonexistent”, and thus giving rise for the need to “protect” these vulnerable users. As Carna botnet before it, it was crucial to act against the vulnerability that existed. With over a year spent on ways to reliably shut down the Telnet’s port, implementing malware detection, and functions for disinfecting the system, on top of the technicalities within bootstrapping a botnet – everything within Wifatch’s functionalities was a challenge. Wifatch was never meant to be kept a secret, and upon agreement of free licensing under General Public License – it was made public. The creator firmly stated that although the created malware holds no ill intentions – users should not use this as a form of comfort, and safety. The known issues, and security holes must be dealt immediately. It does not utilize 0day exploits, nor elaborate backdoors to infiltrate a system, and its target only comprises of unprotected devices. Users are open to experiment with the codes available on almost an x86 or AMD64 Linux Kernel by loading them on the same directory with a stable network access in order to connect to the P2P network with the option of obtaining the extension modules, and upgrading the bot. It will create a database directory upon finding a suitable mountpoint. Users must keep in mind that there is no warranty for self experimentation. Not only that, users are encouraged to volunteer to help as more reliable machines are needed in order to serve as a backend database for malware signatures. Generally, this botnet requires a full network access to enable it to scan vulnerable devices. It is reachable via UDP, and TCP with the range 32769 – 65534. Infections are carried out from a centralized point, and only a single keypress is needed if anything goes sour. When asked if the same creator was behind Carna botnet, it was declined. Inspiration was derived from the collected data of the said botnet. The team remains anonymous, though goes by the name “The White Team”. VI. INFECTION STATISTICS Figure 1: Infected Architecture Breakdown [6] ----- Figure 2: Infected Countries Breakdown [6] Figure 1 depicts the three major architectures that were found to be infected with this malware. ARM architecture is most prevalent as it is the most used firmware partnered with complimenting cores known to be used by multiple successful companies such as Apple, Nvidia, Qualcomm, and even Samsung Electronics. This is makes up the majority of mobile devices, and embedded systems. MiPS is known to be used in gaming consoles, supercomputers, and even in automobiles. Certain embedded systems utilize SH4 in cellular phones, LCD TVs, and NAS. Whilst not included in the chart – it is reported that X86, and PowerPC holds a miniscule percentage of 0.132 of total infection percentage [6]. Based on figure 2, the countries affected are listed down accordingly. However, it is to be noted that the percentage breakdown may not be as depicted as the malware is removed upon resetting the said infected device. It may also become infected after time if the router’s firmware is not up to date, or is still using its default password [6]. VII. CONCLUSION While the creation is meant for good use, the users should never grow too comfortable in relying on a white – hat malware to take care of a security issue when it could have been issued with as simple as changing the default credentials of a router. As quoted by Harrington (n.d.), “Violating systems as a path to remediation is not the right way to go” [11]. There could never be a general consensus on whether or not this malware holds more potential in harming, or protecting one’s device. The debate lies in the nature of how secure the device is to begin with. A protected hardware would not have contracted the malware in the first place. An invasion of privacy is still what it is even if it is doing no harm. In the end, there is little that could be done if not for the mindset of the users themselves to initiate the change. REFERENCES [1] Fisher, T. (n.d.). What Is Malware? Retrieved April 09, 2018, from https://www.lifewire.com/what-is-malware-2625933 [2] What is Malicious Software (Malware)? - Definition from Techopedia. (n.d.). Retrieved April 09, 2018, from https://www.techopedia.com/definition/4015/malicious-softwaremalware [3] Lee, In & Lee, Kyoochun. (2015). The Internet of Things (IoT): Applications, investments, and challenges for enterprises. Business Horizons. 58. 10.1016/j.bushor.2015.03.008. [4] Burgess, M. (2018, February 16). What is the Internet of Things? WIRED explains. Retrieved April 09, 2018, from http://www.wired.co.uk/article/internet-of-things-what-is-explained-iot [5] Pastrana, S., Rodriguez-Canseco, J., & Calleja, A. (2016). ArduWorm: A Functional Malware Targeting Arduino Devices. [6] Is there an Internet-of-Things vigilante out there? (n.d.). Retrieved April 09, 2018, from https://www.symantec.com/connect/blogs/there-internetthings-vigilante-out-there. [7] Kovacs, E. (2015). Retrieved April 09, 2018, from https://www.securityweek.com/developers-mysterious-wifatch-malwarecome-forward. [8] Linux.Wifatch: The Router Virus That May Be Secretly Defending You From Other Malware. (n.d.). Retrieved April 09, 2018, from https://securityintelligence.com/news/linux-wifatch-the-router-virusthat-may-be-secretly-defending-you-from-other-malware/. [9] Beneficial Malware? It's a Thing... (n.d.). Retrieved April 09, 2018, from https://www.pcrisk.com/internet-threat-news/9498-beneficial-malwarelinux-wifatch. [10] Russon, M. (2015, October 02). Linux.Wifatch: Routers hacked by 'white hat' virus that makes them more secure against malware. Retrieved April 09, 2018, from https://www.ibtimes.co.uk/linuxwifatch-routers-hacked-by-white-hat-virus-that-makes-them-moresecure-against-malware-1522214. [11] Fox-Brewster, T. (2015, October 09). Meet The Mystery Vigilantes Who Created 'Malware' To Secure 10,000 Routers. Retrieved April 09, 2018, from https://www.forbes.com/sites/thomasbrewster/2015/10/06/mysterywhite-team-vigilante-hackers-speak-out/#1ea56745689f. -----