A botnet was found that fixes vulnerabilities in the routers infected by it and informs the administrator about it.

Mario Ballano , one of the analysts at Symantec, reported finding a strange botnet, named Linux.Wifatch , which exploits various network devices with a vulnerability in the Telnet service and integrates them into a peer-to-peer network. At the same time, not only does he not show any destructive activity (such as sending spam or organizing DDoS), but also behaves like a kind of virus antivirus for infected devices. A botnet agent tries to find and terminate processes of malware known to it, sets up a reboot once a week to protect against threats running only in RAM, and also kills the vulnerable Telnet daemon, leaving a message to the administrator asking him to disable the leaky service, change passwords or update the firmware!



Message for administrators of vulnerable devices:







The first traces of the botnet were discovered in November 2014 by a researcher who noticed that his home router behaves in a strange way. It turned out that the infection had turned his device into a “zombie” connected to a peer-to-peer network of infected devices. The malware is written in Perl for different architectures and comes with its own Perl static interpreters for each.



')

According to Symantec, tens of thousands of devices have been infected, most of them in China, Brazil, Mexico and India.





For source code, compression is used, but not obfuscation. As stated by Semantec, the author does not seem to have tried in any way to make the code analysis difficult, on the contrary, he even made many explanatory comments. In the scripts that the botnet uses for its work, such a remarkable text was also found:







The authorship of this phrase is attributed to Richard Stallman, but the author of the botnet, apparently, was inspired by the exploits of Edward Snowden.



Theoretically, a botnet agent still carries an additional threat, because can execute arbitrary commands from the host (the command center is hidden using Tor), but they must be signed with a cryptographic key, which eliminates the possibility of unauthorized use. The most interesting thing is whether the author will remain on the side of good or will eventually use the botnet to get the benefits ...