The case of the vigilante virus

Published
October 20, 2015
Type
Info notes

Introduction

An unusual botnet, dubbed Linux.Wifatch has been infecting home routers running Linux for about a year. Its originality comes from the fact that it seems to make the devices' security better. This Info Note presents the main characteristics of Linux.Wifatch and questions its apparent motives.

Facts

In November 2014, a security researcher noticed strange activity on his home router, and proceeded to analyse the reason. He quickly realised that his router had been infected, and managed to submit samples to anti-virus vendors.

Symantec published an analysis in early October 2015. The bot component of the virus is surprising, in that it does not contain the usual payloads for launching Denial of Service attacks, sharing files, or infect other systems. Instead, the analysts from Symantec could only find code that plugged security holes in the infected devices. For example, it disables the telnet service, and attempts to remove common viruses that target home routers.

The authors of the virus have published since the source code of the bot component. The published source code cannot be used to infect systems.

Since the bots do not infect other systems themselves, and the source code does not contain any infection code, the infection vectors are still unknown. From comments found in the bot, it seems that the most common vector was the use of hard-coded credentials, like default passwords left by manufacturers and ISPs.

A good virus?

At first sight, it would seem that the bot is harmless, as it apparently increases the level of security of the infected devices. It closes points of entry, and gives sound security advice to owners. There are downsides to this approach, though:

  1. In most jurisdictions, accessing a system belonging to someone else without authorisation is an offense. Whatever their intentions, the authors of the virus broke the law.
  2. The authors of the virus included an update system, and as long as they control the botnet, they have the capability to add offensive modules, with only their word to ensure users that they will not. Users cannot just trust unknown individuals that infected their devices to "do the right thing".
  3. No matter how extensively the authors tested their virus, bugs in their software could have unwanted interactions with the home routers' firmware. In the worst case, they could have rendered routers inoperable, and cut the owners' internet connection.
  4. In some environments, ISPs could have depended on a vulnerable service to manage the routers. Even though this is bad practice, closing the service in effect could make the device unmanageable.
  5. Bugs in the virus could also introduce other ways of infection by more malicious actors, or could allow others to take over the whole botnet, and use it for nefarious purposes.

These downsides far outweigh the advantages of the virus. Infecting other peoples' devices is not a good idea, no matter the intentions. A real life analogy would be that of an intruder breaking into people's houses to fix the plumbing and change the locks.

Conclusions and recommendations

This note presented what is known about Linux.Wifatch, and determined that even though it appears harmless and well-intentioned, the use of a virus to patch security vulnerabilities in others' devices is a bad idea. It is up to manufacturers, OEMs, ISPs and users to secure their devices, not for any unauthorised third party.

The recommendations of a previous Info Note on access routers security are still valid. People who would like to engage in similar activities must refrain to do so. Anyone finding vulnerabilities should report them, not abuse them for any purpose. ENISA will publish shortly a full report on vulnerability disclosure.

About “Info Notes” from ENISA

With the “Info Notes” series ENISA aims at giving the interested reader some background and recommendations about NIS related topics. The background and recommendations are derived from past experiences and common sense, and should be taken as starting points for discussions on possible course of action by relevant stakeholders. Feel free to get in touch with ENISA to discuss or inquire more information on the “Info Notes” series (cert-relations@enisa.europa.eu).

We use cookies to ensure we give you the best browsing experience on our website. Find out more on how we use cookies and how you can change your settings.

Ok, I understand No, tell me more