Symantec has uncovered more details about the Linux.Wifatch code that targets Internet of Things (IoT) equipment by appearing to fix security issues.
It was originally found last year, but now Symantec has investigated further into the code, finding out it is written in the Perl programming language and is distributed via peer-to-peer networks normally used to send out threat updates.
"The further we dug into Wifatch's code the more we had the feeling that there was something unusual about this threat," Mario Ballano, senior security response engineer at Symantec, wrote in a blog post. "For all intents and purposes it appeared like the author was trying to secure infected devices instead of using them for malicious activities."
Wifatch doesn't actually carry out DDoS attacks or other malicious activities we're used to seeing, but in fact, its activities seem to have been implemented to secure compromised devices.
Symantec said it has been monitoring the anomaly for the last few months and hasn't seen any kind of malicious activity carried out using the code. Part of the code even tries to detect other malware infections that may be running on the device, removing them if it can.
"Wifatch not only tries to prevent further access by killing the legitimate Telnet daemon, it also leaves a message in its place telling device owners to change passwords and update the firmware," Ballano explained.
However, it seems the code is being used to send a message out to the US authorities. Hidden in the source code, it reads: "To any NSA and FBI agents reading this; please consider whether defending the US constitution against all enemies, foreign or domestic, requires you to follow Snowden's example."
Although none of its actions seem to be malicious, Symantec warned that it is still getting onto devices without the user's consent and could, potentially be used to launch attacks if the author wants it to.
"We believe that most of Wifatch's infections are happening over Telnet connections to devices using weak credentials. After monitoring Wifatch's network for a number of months, we estimate it to include somewhere in the order of tens of thousands of devices," the company said.
