Hacker Batman may be out there, watching over your ADSL router

Symantec has released details about a suspicious program it calls Linux.Wifatch, which has been infecting broadband routers and CCTV systems connected to the Internet.

This virus does not appear to be malicious, said Symantec, stating its author was trying to secure infected devices.

The company credited a security researcher l00t_myself with first alerting them about Wifatch.

Computerworld reported that l00t_myself was not the first to discover this virus, though, and l00t_myself received responses from two other researchers who said they discovered similar malware in 2013.

Peter Košinár called it Reincarna, after the message the virus displays when trying to connect to an infected device over Telnet:

REINCARNA

Telnet has been closed to avoid further infection of this device. Please disable telnet, change telnet passwords, and/or update the firmware.

A Hacker Batman watching over us?

Symantec said that l00t_myself’s analysis uncovered a piece of code that turned his home router into a zombie connected to a peer-to-peer network of infected devices.

Most of Wifatch’s code is written in Perl, targets several architectures, and ships its own static Perl interpreter for each platform it runs on.

Once a device is infected and connected to the “botnet”, it exchanges threat updates with other devices on the network.

No malicious payloads were found, and everything Symantec discovered pointed to the virus hardening compromised devices.

This suggests that the author’s intentions may be noble.

Symantec said Wifatch did include some general-purpose backdoors, though, that the author could use for malicious actions.

The backdoors seem secure, however, thanks to Wifatch having cryptographic signatures to ensure commands are coming from the malware creator.

Symantec estimates that tens of thousands of devices are infected with Wifatch, most of which are in China, Brazil, Mexico, and India.

Devices based on ARM architecture make up the majority of the infections, with the MIPS and SH4 architectures making up most of the remaining infections.

More security news

Patreon hack exposes private user data

New Android Stagefright vulnerability uncovered

Critical vulnerability in WinRAR exposed

Should you be concerned about spying if you have nothing to hide?

Apple App Store suffers first major attack