Creators of the Benevolent Linux.Wifatch Malware Reveal Themselves

Share this…

Linux.Wifatch’s creators call themselves The White Team.The Linux.Wifatch malware, also dubbed as the “vigilante malware” has been going around the Internet, infecting IoT devices, cleaning out malware infections, and boosting the devices’ security.

While the initial Symantec report that exposed their activity had a positive tone and said that no instances of abuse were recorded from this particular malware strand, the researchers also mentioned that this could always happen, and its past activities did not guarantee it would continue to be a “good boy” in future versions.

Two days ago, the hackers behind Linux.Wifatch open sourced the malware’s source code on GitLab, and posted some clarifications about their intentions inside the project’s README file.

Creators of the Benevolent Linux.Wifatch Malware Reveal Themselves

According to the hackers, which call themselves The White Team, they created Linux.Wifatch to first to learn, and then to understand, have fun and for their and our security.

They’ve always intended to release the malware as open source, and keeping true to Richard Stallman’s views on software freedom, they’ve released the malware’s code under GPL, an open source license written by Stallman.

Some parts of the malware source code are missing, for our protection

The Wifatch source code is not complete, and some parts are missing, being kept secret, The White Team saying that it “might be released when it no longer is relevant, to protect the innocent.”

Currently, the Linux.Wifatch GitLab repository does not include the command and control code, build scripts, and the password/secret keys package which was used to break into insecure devices.

The White Team said that they might release the build scripts in future versions, but from their other answers, they don’t intend to release any part of the Wifatch code that might be used to hurt other users.

The hackers proved to be the real creators of the Linux.Wifatch malware by releasing the NISTP256 signature of the SHA256 for GitLab repository, using the actual signing key used for the real malware version.