Home routers, and in general IoT devices, are becoming more and more interesting to cybercriminals. These devices may not hold a lot of interesting data, but in the wrong hands they have proven to be quite useful, for instance, to articulate DDoS attacks. However, recently, we discovered a router threat known as Linux.Wifatch that was exhibiting unusual behaviour - the threat was securing infected devices instead of using them for malicious purposes.
Linux.Wifatch is a sophisticated threat that builds a botnet of infected devices and contains a number of hidden messages visible only to a reverse engineering analyst, leading to a riddle we have been trying to unravel: who is really behind it, what are his intentions, and is there really an Internet-of-Things vigilante out there?
In this talk we will present our research on Linux.Wifatch, we will show how we went about analysing it and how we introduced an insider into its peer-to-peer network to monitor its activities. We will provide you with data collected over the summer of 2015, and we will also present our theories on who we think may be controlling it and what the author(s)' intentions might be: might they be 'good' guys trying to keep devices out of malicious hands, or are they as evil as other malware creators?