Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - Benevolent malware? reincarna/Linux.Wifatch InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Benevolent malware? reincarna/Linux.Wifatch

Published: 2016-11-11
Last Updated: 2016-11-11 03:45:30 UTC
by Rick Wanner (Version: 1)
1 comment(s)

In the new to me department.  It looks like this one has been around for more than three years.

Today I was doing some banner grabbing looking for a Mirai node that had gotten away from me, and came across the Telnet banner below.  It appears this device is infected with a piece of malware called Reincarna/Linux.Wifatch.  It purports to being a memory resident malware that defends the device from more malicious malware. 

More information about reincarna/Linux.wifatch from Symantec.  Symantec's write-up states that the malware provides a backdoor and connects back to a Command and Control server, so maybe not so benevolent after all.

--------------------------------------

# telnet X.X.X.X
Trying X.X.X.X…
Connected to X.X.X.X.
Escape character is ‘^]’.

REINCARNA / Linux.Wifatch

Your device has been infected by REINCARNA / Linux.Wifatch.

We have no intent of damaging your device or harm your privacy in any way.

Telnet and other backdoors have been closed to avoid further infection of
this device. Please disable telnet, change root/admin passwords, and/or
update the firmware.

This software can be removed by rebooting your device, but unless you take
steps to secure it, it will be infected again by REINCARNA, or more harmful
software.

This remote disinfection bot is free software. The source code
is currently available at https://gitlab.com/rav7teif/linux.wifatch

Team White

---------------------------------

-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

Keywords: malware reincarna
1 comment(s)
Diary Archives