Linux.Wifatch

Last updated
Linux.Wifatch
Alias
AuthorsThe White Team
Technical details
PlatformLinux
Written inPerl [2]

Linux.Wifatch is an open-source piece of malware which has been noted for not having been used for malicious actions, instead attempting to secure devices from other malware. [2]

Contents

Linux.Wifatch operates in a manner similar to a computer security system and updates definitions through its Peer to Peer network and deletes remnants of malware which remain. [3]

Linux.Wifatch has been active since at least November 2014. [4] According to its authors the idea for Linux.Wifatch came after reading the Carna paper. [5] Linux.Wifatch was later released on GitLab by its authors under the GNU General Public License on October 5, 2015. [6]

Linux.Wifatch affects multiple architectures. ARM accounts for 83%, MIPS accounts for 10%, and SH4 accounts for 7%. Linux.Wifatch Architecture Pie Chart.svg
Linux.Wifatch affects multiple architectures. ARM accounts for 83%, MIPS accounts for 10%, and SH4 accounts for 7%.

Operation

Linux.Wifatch's primary mode of infection is by logging into devices using weak or default telnet credentials. [2] [4] Once infected, Linux.Wifatch removes other malware and disables telnet access, replacing it with the message "Telnet has been closed to avoid further infection of this device. Please disable telnet, change telnet passwords, and/or update the firmware." [2]

See also

Related Research Articles

<span class="mw-page-title-main">Firmware</span> Low-level computer software

In computing, firmware is software that provides low-level control of computing device hardware. For a relatively simple device, firmware may perform all control, monitoring and data manipulation functionality. For a more complex device, firmware may provide relatively low-level control as well as hardware abstraction services to higher-level software such as an operating system.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform distributed denial-of-service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Ransomware is a type of malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites such as Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.

Shamoon, also known as W32.DistTrack, is a modular computer virus that was discovered in 2012, targeting then-recent 32-bit NT kernel versions of Microsoft Windows. The virus was notable due to the destructive nature of the attack and the cost of recovery. Shamoon can spread from an infected machine to other computers on the network. Once a system is infected, the virus continues to compile a list of files from specific locations on the system, upload them to the attacker, and erase them. Finally the virus overwrites the master boot record of the infected computer, making it unusable.

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.

The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced (...) we have seen", operating alongside the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali.

Shedun is a family of malware software targeting the Android operating system first identified in late 2015 by mobile security company Lookout, affecting roughly 20,000 popular Android applications. Lookout claimed the HummingBad malware was also a part of the Shedun family, however, these claims were refuted.

Justin Cappos is a computer scientist and cybersecurity expert whose data-security software has been adopted by a number of widely used open-source projects. His research centers on software update systems, security, and virtualization, with a focus on real-world security problems.

BASHLITE is malware which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.

Mirai is malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' website, an attack on French web host OVH, and the October 2016 DDoS attacks on Dyn. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.

Linux.Darlloz is a worm which infects Linux embedded systems.

Remaiten is malware which infects Linux on embedded systems by brute forcing using frequently used default username and passwords combinations from a list in order to infect a system.

<span class="mw-page-title-main">MalwareMustDie</span> Whitehat security research workgroup

MalwareMustDie, NPO is a whitehat security research workgroup that was launched in August 2012. MalwareMustDie is a registered nonprofit organization as a medium for IT professionals and security researchers gathered to form a work flow to reduce malware infection in the internet. The group is known for their malware analysis blog. They have a list of Linux malware research and botnet analysis that they have completed. The team communicates information about malware in general and advocates for better detection for Linux malware.

Hajime is a malware which appears to be similar to the Wifatch malware in that it appears to attempt to secure devices. Hajime is also far more advanced than Mirai, according to various researchers.

VPNFilter is malware designed to infect routers and certain network attached storage devices. As of 24 May 2018, it is estimated to have infected approximately 500,000 routers worldwide, though the number of at-risk devices is larger. It can steal data, contains a "kill switch" designed to disable the infected router on command, and is able to persist should the user reboot the router. The FBI believes that it was created by the Russian Fancy Bear group. In February 2022, the CISA announced that a new malware called Cyclops Blink produced by Sandworm had replaced VPNFilter.

Cyclops Blink is malicious Linux ELF executable, compiled for the 32-bit PowerPC architecture. It targeted routers and firewall devices from WatchGuard and ASUS and adds them to a botnet for command and control (C&C). The malware is reported to be originated from the hacker group Sandworm.

References

  1. 1 2 Schick, Shane (October 6, 2015). "Linux.Wifatch: The Router Virus That May Be Secretly Defending You From Other Malware". Security Intelligence. Archived from the original on 7 December 2016. Retrieved 7 December 2016.
  2. 1 2 3 4 5 Ballano, Mario (1 Oct 2015). "Is there an Internet-of-Things vigilante out there?". Symantec . Retrieved 14 November 2016.
  3. Das, Samburaj (October 2, 2015). "Linux.Wifatch: Vigilante Hacker Infects Routers with Malware to Fight Bad Malware". hacked.com. Retrieved 14 November 2016.
  4. 1 2 Kovacs, Eduard (October 7, 2015). "Developers of Mysterious Wifatch Malware Come Forward". securityweek.com. Retrieved 15 November 2016.
  5. "linux.wifatch". The White Team. October 5, 2015. Retrieved 15 November 2016.
  6. Cimpanu, Catalin (Oct 7, 2015). "Creators of the Benevolent Linux.Wifatch Malware Reveal Themselves". Softpedia . Retrieved 14 November 2016.