SecTor interviews The White Team vigilante group


Hundreds of thousands of routers around the world have been infected by a botnet. Instead of bitcoin mining or redirecting DNS queries to malicious sites, though, it has good intentions. The Wifatch ‘malware’ cleans house, locking down router insecurities and deleting known malware. It’s a benevolent botnet. What should we call it? Goodware? And more importantly, is this unauthorised fixing something that people should be doing?

The malware was first found in 2014 by independent security researcher l00t_myself, who noticed something specious on his router. Symantec reported on it at the start of this month, and noticed that rather than doing anything malicious, it seemed to lock routers down, deleting known malware libraries and closing telnet connections.

After Symantec’s exposure, the authors responded publicly, revealing themselves as online vigilantes and posting an FAQ, along with the source code. SecTor contacted them for more information, and they told us that it was a form of self-defence.

“The group of potential victims of DDoS attacks, fraud, and ransomware includes us, too,” they said. “We might not have so many practical problems, since we usually do know how to configure our devices, but we, too, want to be able to use cars, watches and our friends’ internet access routers without having to worry about potentially exploitable backdoors.”

If malware is spreading through peoples’ routers, then the White Team views itself as a kind of antibody, surfing the routersphere, killing the bad stuff off, and inoculating the host by fixing security loopholes. It’s a response to a growing number of router compromises.

A history of router hacks

Some router infection projects seem to happen mostly to test the concept, or for research purposes. Other malware teams have infected routers specifically for malicious reasons. They’re a perfect attack vector, because there are lots of them, and the majority of them are left configured to factory settings by non-technical users.

Hacking these routers involves a simple cost/benefit analysis, said the White Team. “Embedded devices are harder to program for – your Windows expertise won’t help, memory and CPU are more limited,” it explained. “But there is almost no thought wasted on security, there are no anti-virus programs, and so on. At some point, the benefit outweighed the costs, and that point was around 2012.”

In early 2013, another router botnet called Carna was discovered, which infected up to 420,000 routers to conduct a census of the Internet, chewing up a not inconsiderable amount of bandwidth in the process. Carna was the
“spiritual predecessor” for Wifatch, the White Team said.

Careful with that code

Wifatch isn’t the first virus with the Internet’s best interests at heart. Welchia tried to kill the Blaster worm, for example. DenZuko hunted down and killed the Brain worm. Benevolent viruses and botnets have their dangers, though, suggests Craig Young, security researcher for Tripwire and the winner of ISE’s SoHopelesslyBroken router hacking contest.

“So-called beneficial botnets certainly have a high risk of unintended consequence,” he warned. “While many embedded devices like routers have very similar hardware and firmware across models in the same family, slight variations can mean that a technique shown to improve security on one system may inadvertently render another system unstable, or even ‘bricked’.“

He worries, too, that with slight modifications, a benevolent virus may be modified, allowing a malicious attacker to exploit devices, install real malware, and use the hardening logic to prevent infection from competing worms.

The White Team remains unfazed. “Let’s put this into perspective,” they told SecTor. “If we don’t infect the devices, then various strains of other malware does it. There are literally thousands of different malware strains in existence.” The team collected around 1.7GB of malware executables with an average size of around 200Kb this year alone, it said.

That figure includes only known malware, added the White Team, arguing that its code of conduct involves only disinfecting identified, proven malware with documented malicious behaviours. There are other things which the Team suspects is probably malware but can’t prove, it added.

Wifatch doesn’t exploit firmware bugs to compromise routers, the team added, which it believes reduces the risk. It argued that once again, the question comes down to a cost/benefit analysis.

Take your medicine! It’s good for you!

“Since the harm, while it almost certainly exists, is so negligible, almost anything is likely to outweigh the negative effects. Just keeping a router from crashing, or attacking an innocent website, would probably outweigh most if not all the infections,” it said.

“We still think it is wrong to enter other people’s devices without their explicit permission, but when put into perspective, it certainly looks a bit hypocritical to even wonder about it,” the Team continued.

Is that a decision that a small group of people should make on behalf of others, though? Raul Alvarez, senior security researcher at Fortinet who also writes articles for Virus Bulletin, says that good intentions don’t matter. A beneficial botnet is still like someone who comes into your house uninvited, cleans up, and rearranges the furniture. He’d feel violated, he said.

Nevertheless, he has a potential compromise. “If there are enough checks and tests for this approach and I can explicitly opt in, then it might make for a slick new approach to protecting my network that I’d be happy to allow,” he said. “It’s all about approach and implementation.”

For now, Wifatch continues to infect tens of thousands of routers in its bid to clean up the Internet. The White Team estimates that at least 60,000 routers are under its spell at any one time – and it doesn’t show any sign of switching it off yet.

Given that the Team isn’t stopping, what should you do if you’re worried? Reassert control over your device (presumably with a reset) and lock down your passwords, it said. If it can’t get in, argue Team members, it’ll be difficult for others to, as well.

Interested in finding out more? Register at SecTor, which takes place at Metro Toronto Convention Centre in downtown Toronto during October.


Bookmark and Share