Skip navigation
Unusual Malware May Infect IoT Devices to Protect Them: Symantec
The figure of Norton Fighter, a hero character symbolizing reliability of Symantec’s Norton Products, is displayed at Makuhari Messe in 2008 in Chiba, Japan. (Photo by Koichi Kamoshida/Getty Images)

Unusual Malware May Infect IoT Devices to Protect Them: Symantec

Infected devices connect to peer-to-peer network that distributes threat updates


This article originally appeared at The WHIR

Symantec has been tracking an unusual malware that targets Internet of Things (IoT) devices. Called Linux.Wifatch it appears that the malware is being used to secure infected devices instead of using them for malicious activities.

According to a blog post by Symantec on Thursday, most of Wifatch’s code is written in Perl and it targets several architectures, shipping its own static Perl interpreter for each of them. When a device is infected, it connects to a peer-to-peer network that distributes threat updates.

What’s unusual, according to Symantec, is that the code does not ship any payloads used for malicious activities, such as DDoS attacks.

Symantec recommends users reset an infected device to remove the Wifatch malware; however devices could become infected again. Users should keep their device’s software and firmware up to date and change default passwords.

As the number of IoT devices grow, so do the variety of security threats. IoT will likely force changes in policy and security practices at most organizations as 55 percent of IT decision makers at US SMBs surveyed last year expect new security threats and the extension of existing threats to new devices to be a major concern.

Mario Ballano of Symantec said that it has been “monitoring Wifatch’s peer-to-peer network for a number of months and have yet to observe any malicious actions being carried out through it.”

“Wifatch not only tries to prevent further access by killing the legitimate Telnetdaemon, it also leaves a message in its place telling device owners to change passwords and update the firmware,” he said.

The author chose not to obfuscate the Perl code, suggesting that they aren’t worried about others being able to inspect it.

Although it does seem to be unlike most malware, Symantec said Linux.Wifatch is still a piece of code that infects a device without user consent. Symantec will continue to keep “a close eye on Linux.Wifatch and the activities of its mysterious creator.”

It is estimated that Wifatch’s network includes tens of thousands of devices, with 32 percent of infected devices in China, and 16 percent in Brazil. Only 5 percent of infected devices are in the US.

Development of IoT is more advanced in Asia Pacific, according to a recent report, with 26 percent of developers in APAC likely to be working on IoT projects, compared to developers in North America (22 percent).

The vast majority (83 percent) of infected devices are ARM architectures.

This first ran at

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.