The Helpful Hacker?

The Helpful Hacker?

A new hacker or virus of sorts is making it’s rounds. Normally, when we write about these, we discuss how the wiley cyber criminal made off with personal information of customers or was able to embarrass someone. This time, it is not the case. As reported by CNN Money, Symantec, and l00t myself, there is some malware (if you can even call it that) going around that essentially applies sound security practices to wireless (Wi-Fi) networks.

Per CNN Money and Symantec, it is called “Ifwatch” or “wifwatch”  and is spreading quickly. Note: “if” in Linux is typically used to express interfaces, especially in networking such as ‘ifconfig’ vice ‘ipconfig’. This software eradicates other (more traditional) malware on routing devices and synchronizes friendly updates in addition to implementing secure Wi-Fi practices, such as described by Symantec (2015) “Wifatch not only tries to prevent further access by killing the legitimate Telnet daemon, it also leaves a message in its place telling device owners to change passwords and update the firmware.”

Per Symantec, the top countries where Ifwatch is being seen are:

  • China
  • Brazil
  • Mexico
  • India
  • Vietnam
  • Italy
  • Turkey
  • Republic of Korea
  • United States
  • Poland

“We have not seen any malicious activity whatsoever,” said Symantec threat intelligence officer Val Saengphaibul. “However, in the legal sense, this is illegal activity. It’s accessing computers on a network without the owner’s permission.” To date, it has snuck into at least 10,000 Internet-connected devices, usually WiFi routers…But there’s a clue. There’s a hidden message in the program’s computer code: “To any NSA and FBI agents reading this: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.” (CNN Money, 2015).

Our Analysis

This is certainly interesting. Is the perpetrator of this a modern day Robin Hood? I honestly believe that this is likely the work of a startup (NOT Advanced Persistent Security) that is trying to gain momentum and is trying to sell the Ifwatch software to a larger entity or get their name in the public eye. While no one can be hated for trying, there are more legal ways that all for an organization to build a name for itself (i.e. a blog; pun intended). I saw where someone believes this could be a diversion for a different attack, I can see the rationality in that statement, but it would have likely already been triggered if it were meant for such.

Note: While the actions of ‘ifwatch’ are noble, it is still illegal. The software is being installed and operating without the knowledge or consent of the owner of the information systems. Advanced Persistent Security does NOT condone such acts and posted this blog solely as a special interest topic.


CNN Money
l00t myself (blog)

Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

Enter your email address:

Delivered by FeedBurner

Contact Us

Subscribe to our mailing list

* indicates required

About Joe Gray

Joe Gray is a native of East Tennessee. He joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Since leaving the Navy, Joe has lived and worked in St. Louis, MO, Richmond, VA, and Atlanta, GA. His primary experience is in the Information Assurance (IA) and Cyber Security compliance field. He has worked as a Systems Engineer, Information Systems Auditor, Senior UNIX Administrator, Information Systems Security Officer, and Director of IT Security. Joe is in pursuit of his PhD in Information Technology (with focus in Information Assurance and Security). His undergraduate and graduate degrees are also in Information Technology (with focus in Information Assurance and Security) from Capella University, where he graduated Summa Cum Laude for both degrees and completed a Graduate Certificate in Business Intelligence. He also is a part-time (Adjunct) Faculty at Georgia Gwinnett College. Joe holds the (ISC)² CISSP-ISSMP, GIAC GSNA, CompTIA Security+, CompTIA Network+, and CompTIA A+ certifications. In his spare time, Joe enjoys reading news relevant to information security, blogging, bass fishing, and flying his drone in addition to tinkering with and testing scripts in R and Python.