Linux.Wifatch: The latest piece of code infecting Internet of Things devices
The following story could well work as the script of a Hollywood movie or superhero comic. Let us introduce you to Linux.Wifatch, one of the latest pieces of code infecting Internet of Things (IoT) devices. Symantec, a technology company, first heard of Wifatch back in 2014, when an independent security researcher noticed something unusual happening on his home router. The researcher identified running processes that didn’t seem to be part of the legitimate router software and decided to investigate further. During his analysis he discovered a sophisticated piece of code that had turned his home router into a zombie connected to a peer-to-peer network of infected devices.
Lately we’ve seen that home routers, and IoT devices in general, are becoming more interesting to cyber crooks; these devices may not hold a lot of interesting data but under the control of criminals they have proven to be quite useful, for instance, to articulate distributed denial-of-service (DDoS) attacks.
As well as this, it’s difficult for the average user to detect if one of these devices has become infected and so most infections go unnoticed. In April of this year, Symantec was provided with some additional information on Wifatch. At first sight there was nothing unusual about it, however, after a closer look, this particular piece of code looked somewhat more sophisticated than the average embedded threat usually spotted in the wild. Symantec’s telemetry suggests that India is impacted with 9 per cent of Linux.Wifatch infections.
Linux.Wifatch is a piece of code that infects a device without user consent and in that regard is the same as any other piece of malware. It should also be pointed out that Wifatch contains a number of general-purpose back doors that can be used by the author to carry out potentially malicious actions.
However, cryptographic signatures are verified upon the use of the back doors to verify that commands are indeed coming from the malware creator. This would reduce the risk of the peer-to-peer network being taken over by others.
Symantec believes that most of Wifatch’s infections are happening over Telnet connections to devices using weak credentials. After monitoring Wifatch’s network for a number of months, we estimate it to include somewhere in the order of tens of thousands of devices.
Mitigation
Resetting an infected device will remove the Wifatch malware; however, devices may become infected again over time. If possible, users are advised to keep their device’s software and firmware up to date and to change any default passwords that may be in use.
