Botnet Protects Against Malware

Monday, October 5, 2015 @ 03:10 PM gHale

A botnet consisting of tens of thousands compromised routers and other IoT devices apparently does not have malicious intent.

The developer behind the bot appears to want to secure the devices against compromise from malware and other bot herders.

Botnet Strengthens Attack Capabilities
Security Differences by Industry
Strategy Shift: Security by Design
DDoS Attacks: Small, but Repeated

Called Wifatch, researchers first became aware of the botnet in November last year. The latest analysis found it may be tens of thousands devices around the world, with the majority concentrated in China, Brazil, Mexico and India, said researches at Symantec.

“Once a device is infected with the Wifatch, it connects to a peer-to-peer network that is used to distribute threat updates,” the researchers said in a blog post. “Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices.”

After several months of monitoring the botnet, there has been no indication of attack.

“Wifatch not only tries to prevent further access by killing the legitimate Telnet daemon, it also leaves a message in its place telling device owners to change passwords and update the firmware,” the researchers said.

One of its modules also tries to remove known malware families targeting embedded devices.

Wifatch is able to infect devices based on different architectures: ARM, MIPS, SH4, Power PC, and so on.

There are several other things that indicate the Wifatch bot herder is on a mission to keep users safe: The developer did not hide Wifatch’s code, has included debug messages in it to enable easier analysis, and has made sure the backdoors it puts in the devices accept only commands signed by the developer other attackers can’t hijack the botnet.