The Wifatch Malware

Wifatch is malware that attacks Linux-based routers which have the telnet protocol enabled, and are protected by a trivial password. Wifatch is strange malware in that it says that it does beneficial things such as disabling telnet if it’s poorly secured. More information can be found about Wifatch here.

If RouterCheck determines that your router has been infected with Wifatch, it is easy to remove it. Wifatch was designed to install itself into your router, but it will not survive a reboot. So, if you simply reboot your router, Wifatch will be gone.

However if you simply stop there, it is very likely that you’ll soon be infected again. To prevent reinfection you must either disable telnet or use a password that is not trivial.

If you have telnet enabled on purpose, then either disable it or change the password. If you don’t know how telnet was enabled, then it’s possible that UPnP has enabled it and opened a port on your router. You can verify this by looking at the Open Ports on the router. If Port 23 is open, then telnet is enabled.