Investigators have uncovered a new form of malware that’s making the rounds, and it’s actually pretty baffling. This one, which researchers have dubbed Linux.Wifatch, may have already infected tens of thousands of individuals’ home routers, but then it goes on to further secure the network, especially any IoT devices that are gathering or transmitting information.



“For all intents and purposes, it appeared like the author was trying to secure infected devices instead of using them for malicious activities,” Symantec’s Mario Ballano said in an online post after members of their team discovered the code.

Symantec has been monitoring the virus since they discovered it several months ago, and has even gone on to purposely allow it to infect some of their systems so they could watch what it does. In all this time, the virus doesn’t seem to have done anything malicious; instead, it may actually be walling off the infected network to protect it from surveillance behaviors and other malware attacks. So far, the largest areas of infection are in China and Brazil, with other pockets of infection spread throughout the world.

The malware apparently gets in due to poor security in the infected computers’ telnet protocol; ironically, once infected, the user is prompted with a message to change their telnet password and enable stronger security. Wifatch also appears to root out other viruses and malicious software, as well as make it easier to debug the router. Wifatch also beefs up some security surrounding internet of things devices which have been thought of as weak links in the cybersecurity chain.

According to an article by Shirley Siluk for TopTechNews, there’s some speculation about who could be behind it.

“The unusual malware apparently works to prevent further infections and sometimes even delivers a message telling device owners to change their Telnet passwords and/or update their firmware. Another aspect is that the source code contains a line of text famously used as an e-mail signature by software freedom activist and GNU Project founder Richard Stallman.”

Ballano has gone on to state that the code doesn’t seem to be very “secretive,” or that the author doesn’t seem concerned with others finding out the virus is on their network or how it operates. As Ballano has pointed out though, it is still a virus, put in place without the user’s permission. No good deed truly goes unpunished, however, if that’s the sentiment from thousands of tech users who are currently enjoying the protection Wifatch provides.