Internet router
Symantec has spotted a very unusual virus that protects routers and Internet of Things devices, rather than hijacking them to steal dataiStock

Security firm Symantec has spotted a new virus, which compromises internet routers and Internet of Things (IoT) devices and strangely makes them more resistant to malware, rather than less.

Usually when we write about malware, it's bad news and relates to security vulnerabilities that enable hackers to steal large amounts of sensitive information and compromise websites and networks.

But Symantec has uncovered a new virus called Linux.Wifatch that seems to do the opposite – instead of hijacking the devices for nefarious purposes, the virus instead improves the security of routers and IoT hardware.

Internet routers are some of the most poorly secured devices in existence, yet they are indispensable to us. Usually people get an internet router, set it up with its default settings and default admin password, then happily go surf the web, leaving their router to gather dust for years unless the internet goes down.

Because of these poor security measures, which are often encouraged by internet service providers (ISP) in order to make it easy for call centre support staff to fix problems, routers are starting to become an easy target for hackers.

In Vietnam, millions of FPT Telecom fibre-optic broadband routers were compromised in November 2014, and it is believed that the traffic from these routers is being hijacked by hackers to hide criminal activity.

The virus even hunts for other malware to kill

Poor security in the telnet protocol is what enabled the Linux.Wifatch virus to get into the routers that Symantec inspected, but the researchers believe that the virus might have been created by a white hat hacker, as once it is in the router, the virus then closes the telnet protocol so that nothing else can get in.

On top of that, the virus leaves a message asking the router's administrator to change the password on the router's firmware, and the virus also has a module that goes hunting in the router for any other malware it can kill off.

"Despite the previously listed actions, it should be made clear that Linux.Wifatch is a piece of code that infects a device without user consent and in that regard is the same as any other piece of malware. It should also be pointed out that Wifatch contains a number of general-purpose back doors that can be used by the author to carry out potentially malicious actions," Symantec's Mario Ballano writes in a blog post.

"However, cryptographic signatures are verified upon the use of the back doors to verify that commands are indeed coming from the malware creator. This would reduce the risk of the peer-to-peer network being taken over by others."

Symantec says that the Linux.Wifatch is currently infecting tens of thousands of routers, with the virus being most prevalent in devices found in China, Brazil, Mexico, India, Vietnam, Italy and Turkey.

"There is no doubt that Linux.Wifatch is an interesting piece of code. Whether the author's intentions were to use their creation for the good of other IoT users — vigilante style — or whether their intentions were more malicious remains to be seen," Ballano stressed.

"What we do know is that it pays to be suspicious and, with this in mind, Symantec will be keeping a close eye on Linux.Wifatch and the activities of its mysterious creator."