A vigilante malware changes 10,000 Wi-Fi passwords to make the home routers more secure
Researchers at the cybersecurity firm Symantec recently discovered a highly virulent piece of malware that actually defends your machine against hackers and even remedies other malware infections.
According to the researchers at Symantec, the custom-built software is nicknamed “Ifwatch” and it is spreading quickly.
“We have not seen any malicious activity whatsoever,” said Symantec threat intelligence officer Val Saengphaibul. “However, in the legal sense, this is illegal activity. It’s accessing computers on a network without the owner’s permission.”
Ifwatch software is a mysterious piece of “malware” that infects routers through Telnet ports, which are often weakly secured with default security credentials that could be open to malicious attack. Instead, Ifwatch takes that opportunity to set up shop, close the door behind it, and then prompts users to change their Telnet passwords, if they are actually going to use the port.
According to Symantec’s research, it also has code dedicated to removing software that has entered the device with less altruistic intentions. Ifwatch finds out and removes “well-known families of malware targeting embedded devices,”
“We have no idea who is behind this — or what their full intention is,” Saengphaibul said. However, it has been found to infect more than 10,000 Linux-based routers, mostly in China and Brazil.
Ifwatch was first discovered by an independent researcher in 2014 and connects routers to a peer-to-peer network that is used to distribute threat updates.
Even though it initially looked like just another botnet, Symantec researchers found Ifwatch was “more sophisticated” than a normal infection. They found that Ifwatch removed well-known families of malware that usually target routers, and it even tells users to change their password and upgrade firmware, which is another way to defend against malicious hackers.
It looks like the Ifwatch’s creator wanted it to be discovered. The Ifwatch author left a comment in the source code that references an email signature used by software freedom activist Richard Stallman, which reads:
“To any NSA and FBI agents reading my email: please consider whether defending the U.S. Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.”
The Symantec researchers are quick to point out that Ifwatch is illegal and uses the same backdoors that more malicious hackers enter through. However, after months of investigation, the researchers have found that Ifwatch’s creator has yet to do anything malicious making them wonder whether this altruistic hack is an attempt to improve everyone’s privacy or just a very smart diversion.