Wifatch – The Router Trojan from Friendly Hackers?


Message left by Wifatch when trying to use telnet

Yesterday, cybersecurity firm Symantec reported on a new piece of malware called Linux.Wifatch that attacks Linux-based home routers. And by “attack” we mean that it patches security holes that it finds to make the routers safer. Hey, wait….

That’s right, this router malware does not modify the user’s DNS settings nor does it launch a distributed denial-of-service (DDoS) attack. Yes, it does connect itself to a peer-to-peer network of other infected devices. Yes, it is able to download additional software through a backdoor that it creates. But does it do any bad stuff? Uh, actually no!

What it has been observed doing is turning off telnet, a protocol that’s active on some routers. Telnet is dangerous on a home router because it can allow the device to be administered in a way that completely bypasses the traditional web-based router interface. Telnet is actually much more dangerous because users who gain access through it can potentially run any program they like on the compromised device.

It’s reasonable to believe that some of the people who had telnet turned on in their routers had a good reason for doing so (actually, we’d prefer the more security- conscious ssh to do similar things). People like this are probably computer hobbyists who like to get the most out of their equipment. But probably the vast majority of these people had it turned on unknowingly as a manufacturer’s default. It’s believed that telnet was the way that Wifatch makes its way into the infected routers, so it’s a bit ironic that it then turns telnet off.

So is this vigilantism good or bad? Well, for now it appears to do good things, but we view it simply as a bad thing waiting to happen. Who knows what code these infected devices will be running tomorrow? Some people have asked us why RouterCheck doesn’t simply fix any problems that it finds when it checks a router. The answer is simple: aside from the many ethical and technical problems that we’d face in trying to fix someone’s router, the truth is that some people like and even want things set up in a way that we’d consider to be dangerous. We made a clear choice early on that we’d educate, but if you want something fixed, have a look at RouterCheck Support which will help you learn to fix it yourself. If we did anything differently, we’d be on the same slippery slope that Wifatch finds itself on.

Currently, Wifatch seems to be attacking home routers in the same places where home router attacks seem to happen: China, Brazil, Poland, Italy, Vietnam, although it really is a world-wide problem.

On a positive note, routers infected with Wifatch are easy to clean up. Simply reboot the router. As sophisticated as Wifatch is, it is very difficult to write a router virus that will live on after a reboot.

We don’t currently know who was behind writing Wifatch. If that’s ever discovered, it will take us a long way towards understanding why this happened.

In the meantime, keep your routers safe. Use RouterCheck.