Article Lead Image

New vigilante malware protects your computer from the bad guys

This isn't your average malware.


Patrick Howell O'Neill


Posted on Oct 1, 2015   Updated on May 27, 2021, 9:23 pm CDT

Call it vigilanteware: Malware in a superhero cape.

Instead of stealing your credit card or doing anything malicious at all, a highly virulent piece of malware, recently uncovered by security researchers at Symantec, actually defends your machine against hackers and even remedies other malware infections.

Now, the researchers are wondering if they’ve discovered an “altruistic” infection from a vigilante hacker with a flair for the dramatic.

The so-called Linux.Wifatch malware, first discovered last year, infects over 10,000 machines, largely in China and Brazil. Although it initially looked like just another botnet, Symantec researchers found Wifatch was “more sophisticated” than a normal infection.

Symantec found that Wifatch removed well-known families of malware that usually target routers, and it even tells users to change their password and upgrade firmware, another way to defend against malicious hackers.

Wifatch’s creator seems to have wanted her creation to be discovered.

The Wifatch code isn’t obfuscated and contains debug messages for easier analysis. The source code also holds a signature honoring software freedom activist Richard Stallman:

To any NSA and FBI agents reading this: Please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.


What about the hacks Wifatch couldn’t solve outright but still wanted to defend against?

Symantec researchers found that Wifatch forces Dahua DVR CCTV systems to automatically reboot every week, a strange choice that may have interesting intentions behind it. They speculate that the reboot could kill any other running malware, cleaning the TV up for another week.

Just as real-world superheroes might butt up against the law, virus vigilantism has quite a few major potential pitfalls as well. The Symantec researchers are quick to point out that Wifatch is illegal and utilizes the same backdoors that more malicious hackers enter through. 

As far as the researchers have found after months of investigation, however, Wifatch’s creator has yet to do anything malicious. In fact, using cryptographic signatures, the malware’s creator has even programmed the virus to guard against other hackers surreptitiously using the same network or backdoors.

Illustration by Max Fleishman

Share this article
*First Published: Oct 1, 2015, 11:00 am CDT