Wifatch and Cheese, Malware Vigilantes

Source: Pixabay.

While the concept of good bacteria isn’t all that revolutionary – Lactobacillus casei, a type of bacteria that lives in the human intestine and mouth, birthed an entire industry of pro-biotic dairy products – the idea of friendly malware is a little harder to swallow; after all, there can’t be many things more malevolent than trojans that let hackers in, keyboard loggers that steal bank details, and viruses that exist solely to devour hard drives.

“Good” malware is a very real – if rare – phenomenon though.


Back in October 2015, a complex virus was discovered infecting routers by security researchers. Dubbed Wifatch, the malware had the usual characteristics of a virus, resisting deletion and dismantling but, instead of causing damage, Wifatch removed any malware infecting the host device and closed a communication protocol to prevent anything else getting in. Finally, Wifatch left a message – change your password.

The fact that Wifatch went after routers is interesting. Internet-enabled devices like baby monitors, wireless printers, and even some fridges are the primary components of a botnet like Mirai, which recruits machines infected with a certain trojan and forces them to flood internet services with traffic, knocking them offline. Known as a Distributed Denial of Service (DDoS) attack, Mirai’s handiwork took down half the internet last year.

Source: Pixabay.

Load Balancers

DDoS attacks are occurring with increasing regularity (Q2 2016 experienced 75% more attacks than the same period in 2015) so the appearance of Wifatch as a surrogate for user prudence isn’t all that surprising. The key to the rise of DDoS attacks is accessibility. The source code for Mirai is available freely (and for free) online and criminals with relevant hacking skills can be hired on the dark web for just a few dollars.

The previous in mind, DDoS protection is one of the primary concerns of security companies; load balancer services exist to distribute traffic across servers, redirecting visitors to healthy servers in the event of service disruption, for whatever reason that happens. Services like web application firewalls have also moved aspects of DDoS protection into the cloud to create a barrier between critical services and malicious traffic. But does friendly malware have a role to play in future DDoS prevention too?

Cheese Worm

Wifatch has a predecessor in 2001’s Cheese, a self-spreading Linux worm that chased the malicious 1i0n worm around the internet. The latter piece of malware emailed criminals the location of backdoors it opened in infected machines so that they could be broken into; Cheese simply “patched” the vulnerabilities out before scanning for other compromised machines nearby. It too carried a message, being “written to try and do some good”.

Source: Pexels.

Sending a computer worm out on a crusade to rid the internet of all its evils sounds like a good thing but, in every case, there’s a moral issue. Imagine for example that somebody breaks into a house to fix a broken boiler; the intention is good but it’s still an intrusion – and a crime. Wifatch and Cheese assume consent simply because they mean no harm. Given that similar viruses report people to the authorities for possessing certain files, well-meaning malware is probably closer to vigilantism than a cyber police force.

There’s an obvious conversation to be had around good malware, especially as a cost-effective way to free devices from botnets or stop them getting snared in the first place, but does reducing the strength of DDoS attacks make up for the inevitable privacy violations?


Leave a Reply