The Helpful Hacker?

The Helpful Hacker?

A new hacker or virus of sorts is making it’s rounds. Normally, when we write about these, we discuss how the wiley cyber criminal made off with personal information of customers or was able to embarrass someone. This time, it is not the case. As reported by CNN Money, Symantec, and l00t myself, there is some malware (if you can even call it that) going around that essentially applies sound security practices to wireless (Wi-Fi) networks.

Per CNN Money and Symantec, it is called “Ifwatch” or “wifwatch”  and is spreading quickly. Note: “if” in Linux is typically used to express interfaces, especially in networking such as ‘ifconfig’ vice ‘ipconfig’. This software eradicates other (more traditional) malware on routing devices and synchronizes friendly updates in addition to implementing secure Wi-Fi practices, such as described by Symantec (2015) “Wifatch not only tries to prevent further access by killing the legitimate Telnet daemon, it also leaves a message in its place telling device owners to change passwords and update the firmware.”

Per Symantec, the top countries where Ifwatch is being seen are:

  • China
  • Brazil
  • Mexico
  • India
  • Vietnam
  • Italy
  • Turkey
  • Republic of Korea
  • United States
  • Poland

“We have not seen any malicious activity whatsoever,” said Symantec threat intelligence officer Val Saengphaibul. “However, in the legal sense, this is illegal activity. It’s accessing computers on a network without the owner’s permission.” To date, it has snuck into at least 10,000 Internet-connected devices, usually WiFi routers…But there’s a clue. There’s a hidden message in the program’s computer code: “To any NSA and FBI agents reading this: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden’s example.” (CNN Money, 2015).

Our Analysis

This is certainly interesting. Is the perpetrator of this a modern day Robin Hood? I honestly believe that this is likely the work of a startup (NOT Advanced Persistent Security) that is trying to gain momentum and is trying to sell the Ifwatch software to a larger entity or get their name in the public eye. While no one can be hated for trying, there are more legal ways that all for an organization to build a name for itself (i.e. a blog; pun intended). I saw where someone believes this could be a diversion for a different attack, I can see the rationality in that statement, but it would have likely already been triggered if it were meant for such.

Note: While the actions of ‘ifwatch’ are noble, it is still illegal. The software is being installed and operating without the knowledge or consent of the owner of the information systems. Advanced Persistent Security does NOT condone such acts and posted this blog solely as a special interest topic.


CNN Money
l00t myself (blog)

Thanks for stopping by and reading our blog. We would appreciate if you could subscribe (assuming you like what you read; we think you will). This is meant to be informative and to provide value to anyone who reads this – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.

Be sure to subscribe to this blog and to our Podcast.

Enter your email address:

Delivered by FeedBurner

Contact Us

Subscribe to our mailing list

* indicates required

About Joe Gray

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.