Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices. We’ve been monitoring Wifatch’s peer-to-peer network for a number of months and have yet to observe any malicious actions being carried out through it.
In addition, there are some other things that seem to hint that the threat’s intentions may differ from traditional malware.
Wifatch not only tries to prevent further access by killing the legitimate Telnet daemon, it also leaves a message in its place telling device owners to change passwords and update the firmware.
Wifatch has a module that attempts to remediate other malware infections present on the compromised device. Some of the threats it tries to remove are well known families of malware targeting embedded devices.
The threat author left a comment in the source code that references an email signature used by software freedom activist Richard Stallman (Figure 2).
Wifatch’s code is not obfuscated; it just uses compression and contains minified versions of the source code. It would have been easy for the author to obfuscate the Perl code but they chose not to. The threat also contains a number of debug messages that enable easier analysis. It looks like the author wasn’t particularly worried about others being able to inspect the code.
The threat has a module (dahua.pm) that seems to be an exploit for Dahua DVR CCTV systems. The module allows Wifatch to set the configuration of the device to automatically reboot every week. One could speculate that because Wifatch may not be able to properly defend this type of device, instead, its strategy may be to reboot it periodically which would kill running malware and set the device back to a clean state.
Linux.Wifatch compromises routers and other Internet of Things devices and appears to try and improve infected devices’ security.