Home / Blog / Beyond the Wall

Beyond the Wall

Posted on 06/07/2016, by Miguel Herrero (INCIBE)
Beyond the Wall logo

The 'wildlings' live beyond the wall. Everyone in Westeros knows that. This is why they trust in the Night's Watch, protectors of the Seven Kingdoms. In the world of cybersecurity there are also people who live beyond the wall and we know that not all of them have evil intentions. They may not obey the laws but their intentions do not seem to be to destroy everything that is established by law.

One example of such non-destructive behaviour is the Linux.Wifatch malware. Malware created by Team White which, although it infects systems, in principle is the least harmful. Linix.Wiftach has a clear objective, Linux routers and IoT devices that use this embedded operating system such as watches, televisions, etc. and which are not adequately protected, to prevent them from being infected by other less friendly malware.

The first time we heard about Wifatch was in 2014, when a security researcher discovered processes on his home router that should not have been there. He started an investigation of the device that confirmed that it was compromised and managed to carry out reverse-engineering malware with the one it had been infected with. Subsequently Symantec published a post presenting the malware.

But what does Wifatch really do? Essentially the answer is that Wifatch infects you to prevent anyone else from doing so. It scans the network looking for vulnerable devices in the Telnet port (TCP/23), either because they have user names that are not protected with a password or because they use default user names and passwords. Once it has infected your device, it closes the Telnet daemon, to prevent anyone else from accessing the device and when it receives a connection to port 23, it displays a banner with a message informing you by Reincarna that you have been infected and to please update passwords, user names and firmware.


Moreover Wifatch connects the device to a P2P botnet, called Reincarna, which searches for the next objective. Wifatch includes backdoors to control the bot once the telnet port is closed that might be used to take control of the device, such that as a preventive measure, all the commands received through the P2P botnet are sent digitally signed to prevent other cybercriminals from taking control of the botnet and using it for other less "humanitarian" purposes.

One thing that makes Wifatch different to other types of malware you might encounter "in the wild" is that it lacks persistence mechanisms. The malware needs to be able to survive rebooting if it is to be of any use to the delinquent. In this case, if the infected machine is rebooted, all that remains of Wifatch are the downloadables, but it will not start to run again or alter the machine's settings. Of course, if appropriate measures are not taken, the device will be infected again by Wifatch, but this is a second infection and not a persistence mechanism.

Currently this project is becoming inactive and now there are almost no changes in the code, mostly accessible through the White Team gitlab, as can be seen from the number of commits, which has gradually decreased. Part of the code has not been released to prevent its reuse by delinquents.

The white team

These botnets with non-malevolent ends are called White Botnets, similar to the White Hat Hackers, although technically the name is prosumware en.wikipedia.org/wiki/Prosumware (Link currently unavailable) (from the Latin prosum meaning useful or beneficial). Reincarna is not the first of its type, rather, as the authors admitted, the idea came from Carna (hence the name), an earlier project.

Carna, whose name comes from the Roman God Cardea, goddess of health, was the first example of prosumware to be documented and consisted in an active botnet between March and December 2012, which "kidnapped" routers without a Telnet password or with very simple passwords in order to carry out a project to map Internet. The aim of the original project was to scan the entire range of IPv4 addresses, through port 23 and, to accelerate the process some devices that were found unprotected were converted into new scanners. In less than one day, they had managed to infect 100,000 devices, thus managing to scan all the Internet in only 16 hours and they published a study that can still be found in the Internet Archive. The source code of the Carna bots was not published for fear of abuse, but in December 2012 there were 420,000 clients distributed as shown in the following figure.


Reincarna reached a similar size in its good moments; the authors calculate that it was made up of between 200,000 and 4,000,000 bots. ·Now its size is almost residual, a search on Shodan shows some 300 devices of which only four correspond to IP addresses geo-located in Spain. To read more about these two examples of prosumware, in:

  • www.codyhofstetter.com/2015/10/prosumware-malware-for-the-insecure/ (Link currently unavailable)
  • www.codyhofstetter.com/2015/10/prosumware-malware-insecure-part-2/ (Link currently unavailable)