What if someone created a computer virus which illegally infected as many systems as it could via the Internet and made them more secure against attacks by unauthorized users?
Would you call that malware? How about vigilante malware?
The further we dug into Wifatch’s code the more we had the feeling that there was something unusual about this threat. For all intents and purposes, it appeared like the author was trying to secure infected devices instead of using them for malicious activities.
Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices. We’ve been monitoring Wifatch’s peer-to-peer network for a number of months and have yet to observe any malicious actions being carried out through it.
In addition, there are some other things that seem to hint that the threat’s intentions may differ from traditional malware.
But what you have to wonder is, why didn’t the software writers for these devices (these are embedded systems for the “Internet of Things”) include the capability for automatic updates and eliminate the need for some “vigilante” to do it for them?