Malware which has compromised over ten thousand routers is receiving attention this week as it has exhibited activity which is beneficial to the infected users. Linux.Wifatch was discovered by an independent security researcher almost a year ago, at which time he wrote that it represented an “Undetected, maybe unknown family of malware, quite complex and using advanced techniques to avoid disassembly and emulation.” After analyzing the malware over the past year, researchers at Symantec have not only discovered a significant number of Linux.Wifatch-infected devices, but that the result of the infection is not malicious but in fact benevolent.  

Linux.Wifatch is certainly malware, as it infects user devices without consent and connects them to a network of infected devices. Additionally, it installs a backdoor for the creators of the program to execute additional code. However, the reported findings all indicate that the Linux.Wifatch infection actually strengthens the security of the devices it infects. The researchers note that “Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices…. Wifatch not only tries to prevent further access by killing the legitimate Telnet daemon, it also leaves a message in its place telling device owners to change passwords and update the firmware.”

In addition to the aforementioned message instructing device owners to improve their security settings, the malware’s source code contains an additional message to law enforcement representatives: "To any NSA and FBI agents reading this: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden's example." The malware has spread to devices around the globe, with the majority of infections occurring in China, Brazil, India and Mexico.