Software called Linux.Wifatch compromises routers and other Internet of Things devices and appears to try and improve infected devices’ security.
Wifatch appeared in 2014, when an independent security researcher noticed something unusual happening on his home router. The researcher identified running processes that didn’t seem to be part of the legitimate router software. During his analysis he discovered a sophisticated piece of code that had turned his home router into a zombie connected to a peer-to-peer network of infected devices.
In April of this year a new variant appeared. Once a device is infected with the Wifatch, it connects to a peer-to-peer network that is used to distribute threat updates.
Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices.
Wifatch has a module that attempts to fix other malware infections present on the compromised device. Some of the threats it tries to remove are well known families of malware targeting embedded devices.