Routers are among the most hackable devices out there — rarely updated, easily compromised, and almost never scanned for viruses. But a new router virus might actually be making the devices safer, according to a report from the security firm Symantec. Dubbed Linux.Wifatch, the bug behaves like a regular virus from the outside: infecting the device, operating undetected, and coordinating actions through a peer-to-peer network. But instead of performing DDoS attacks or looking for sensitive data, Wifatch's main role seems to be keeping other viruses out. It stays up to date on virus definitions through its peer-to-peer network, deletes any malware discovered, and cuts off other channels malware would typically use to attack the router. In short, Wifatch is actually protecting its victims.
It's still unclear where Wifatch comes from or why it was created, but it seems to be very different from the average virus. First detected by a researcher in 2014, the virus seems to make little effort to conceal itself, and leaves various benign messages in its code. One, triggered when a user tries to access the Telnet feature, reminds users to update the device's firmware. Another, dropped as a comment in the source code, repeats a statement from free-software icon Richard Stallman: "To any NSA or FBI agents reading this: please consider whether defending the US constitution against all enemies, foreign or domestic, requires you to follow Snowden's example."
Symantec estimates "somewhere in the order of tens of thousands of devices" are infected with the virus, with infections largely focused on Brazil, China, and Mexico. Resetting a device is enough to remove the infection, but the firm warns that a router may become reinfected over time. "Symantec will be keeping a close eye on Linux.Wifatch and the activities of its mysterious creator," the post concludes. "Users are advised to keep their device’s software and firmware up to date."