An old virus affecting routers and other devices running Linux appears to be acting as a digital vigilante, protecting routers in the dark alleyways of the Internet from other malware infections.
Researchers at Symantec first began tracking Linux.Wifatch on Jan. 12, describing it merely as a "Trojan that may open a back door on the compromised router" and adding a couple of pages of generic advice for removing it and keeping it from infecting other devices
The company subsequently noted that another researcher going by the name l00t_myself had spotted the virus in his home router as long ago as November 2014. He dismissed it as easy to decode and having "stupid coding bugs." He reported via Twitter that he had identified over 13,000 other devices infected with it.
That prompted other researchers to chime in that they too had identified it, variously nicknaming it Reincarna and Zollard -- which was spotted in Internet-connected devices as far back as 2013.
Then things went quiet: The developer of the virus didn't do anything bad with the backdoor access, and the other researchers seemed to lose interest.
Now, though, the Symantec researchers think they've figured out what Linux.Wifatch was up to: It was keeping other viruses out of the devices it had invaded.
That in itself is nothing new: the botnet creators have been known to defend their patch before, fighting off or removing rival malware in order to maintain their botnet's destructive power.
The difference, according to Symantec researcher Mario Ballano, is that Wifatch seems only to be defending, not attacking. "It appeared like the author was trying to secure infected devices instead of using them for malicious activities," he wrote in a blog post Thursday.
Devices infected with Wifatch communicate via their own peer-to-peer network, using it to distribute updates about other malware threats. They don't exchange malicious payloads, and in general the code seems designed to harden, or protect, the infected devices.
For instance, Symantec believes Wifatch infects the devices via telnet, exploiting weak passwords -- but if anyone else, including the device's owner, attempts to connect via telnet, they receive the following message: "Telnet has been closed to avoid further infection of this device. Please disable telnet, change telnet passwords, and/or update the firmware."
It also attempts to remove other well-known router malware.
A further sign of its author's good intentions, Ballano said, is that there is no attempt to hide the malware: the code is not obfuscated, and it even includes debug messages making it easier to analyze.