Tens of thousands of home routers and other simple devices have been infected with high-tech worm. But rather than use them to DDoS attacks, the worm has blocked popular method of infection and… it has not done nothing further.
Researchers from Symantec have just published an analysis of interesting, unusual case of a worm that infects Internet of things. The worm, but undoubtedly reproduce without authorization, seems to have peaceful intentions.
Year of operation, the zero attacks
The first traces of Wifatch (this is name of the “worm”) lead to a blog entry analyst who came upon strange files on his router almost exactly a year ago. The two-part description of present unusual infection is available. Analyst accidentally found in his router files that should not be there. Files are confounded and pointed to Perl as a language bot. After unpacking and decoding, complicated P2P architecture was found. Regularly download a P2P network nodes analyst a year ago has identified more than 3,000 infected devices, each of which served up files botnet. Altogether more than 40 files, serving all moderately popular types of hardware architecture. Once again, the botnet was identified in October 2014 by researchers from the company BlueCoat which encountered him in their honeypot, but did not publish more detailed analysis. Only Symantec’s article sheds more light on this interesting project. Symantec have being observed botnet activity from March. During this time, none of its components has been exploited to cause any damage. The code no items directly to carrying out DDoS attacks or steal information. It seems that its only task is to spread out and patch holes in devices, on which it will get into.
Good uncle Robin Hood
Wifatch gets on other people’s devices using telnet services “protected” by simple passwords. After taking control of the device this “worm” not only disables telnet access, but also puts the warning message about the need to change passwords and update software. Bot it also has a lot of modules. Some of them have the job of removing other known cases of malware attacking IoT devices. In the case of video monitoring systems Dahua separate module reconfigures the device to restart every week (probably as a method of getting rid of malware from the memory of your device). The code is also known for his signature message Richard Stallman.
To any NSA and FBI agents reading my email: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.
According to the Symantec’s researchers, bot code is not at all hidden (it is only compressed) and code are indeed elements to facilitate its analysis.
Bad uncle, not Robin Hood
It should also be remembered that the bot scans the network in search of prey, gets on the machine without the owner’s knowledge and includes features allowing remote command execution under the control of the mysterious author of the program. The author took care, however, is that no unauthorized person could take control of the devices and each control message is verified using elliptic curve cryptography (ECDSA). Among the tens of thousands of infected machines that most home routers and IP cameras. Most is located in Brazil and China. Bot supports all major hardware architectures and distribution of infected machines is as follows: ARM 83% 10% MIPS, SH4 7%. PowerPC and X86 together account for 0.1% of infections.
Even ethical botnet is always botnet. Researchers when talking about such initiatives, often cite as a risk scenario in which bot goes by accident, e.g. at the dialysis machine and causes it to crash. It is actually a serious dilemma for people who want to play Robin Hood. Even then, some undertake such projects – among the best known is probably extremely clever botnet Carna, which was built to scan the entire Internet or mysterious case of the Express Upgrade the software on thousands of vulnerable routers in the network of TP.