Security experts warn against altruistic malware

Malware that removes viruses and vulnerabilities just introduce more risk, say experts.

Researchers at security firm Symantec recently found a new strain of malware. On the face of it, that’s nothing special, but this strain had some interesting features; it made your security better.

Linux.Wifatch, which has infected over 10,000 routers and IoT devices predominantly within China and Latin America, actually removes other malware present and tries to patch other vulnerabilities. Making no effort to hide their intentions, the creators of this altruistic malware even left a message for NSA agents. The code’s mystery creator has since published to Github and talked to both Symantec and Forbes, saying that this was essentially an experiment and they have no intention of using Wifatch for malicious purposes. 

We talked to two security experts about the concept of altruistic malware and whether this is something that should become more widespread.

“I think it’s a really interesting phenomenon, and I’m surprised it’s not happened before,” says Gavin Millard, Technical Director of Tenable Network Security. “I don't want to rain on their parade, but altruistic malware is something that many of us have thought about many, many times over the years.”

“You have to be really careful because what you’re doing is creating code that’s going to go wild and then infiltrate lots and lots of systems, and by inserting more unauthorised code into an environment, you're introducing more risk.” 

Millard cites the Morris Worm – the first ever computer worm - as a good example of well-meaning code causing problems. “Back in 1988, Robert Morris was a researcher looking into the possibility of interconnected systems being infected by one another, so he created the worm for his own research and then delivered it into his own little environment and boom, it went everywhere. It was just him experimenting and not being malicious in any kind of way and trying to figure things out.” The Morris Worm unintentionally propagated on a large scale [for the time – estimated to be around 60,000 machines] and led to Morris being the first person convicted under the 1986 Computer Fraud and Abuse Act.

“I think we have to be really careful Altruistic approaches to getting rid of bugs doesn’t really accelerate because we could end up having another problem where we assume it’s doing good but it could actually be doing bad.”

Millard also highlights how his charitable code brings up the issue of the vendor’s role in security and what people should they do if they find and report vulnerabilities but nothing is done about them. “I’m on the side that companies should just be patching them or they should help guide people to fixing it rather than just going off and automating processes for them that they should be doing themselves.”

James Lynne, Global Head of Security Research at Sophos, has a similar view. “I'm not going to be one to encourage this as something we should be doing more of versus other approaches of more responsible vendor patching, more security by design and so on.”

“It’s not the first time we’ve seen this. It’s rare, but it’s not the first time. There were a couple of pieces of malware back when I started that would infect people’s systems, apply patches based on how it got in and uninstall itself.”

Lynne also suggests this is an idea security experts have been playing around with for a long time. “There’s actually a longstanding theory of computer science that ties deeply to the original creation of malware as the idea of a white worm,” he explains. “A white worm would be self-propagating malware that make positive configurations changes and patches to make things more secure.”

“It’s cool, it’s interesting, and it’s hard to argue with it being a good thing when it’s going out and doing that, but I’d like to exercise caution. Any code that runs without permission, outside the ecosystem of vendor testing, outside the user’s authorization, written by an individual or a small group, even if well-intended, runs the risk of collateral damage.”

Lynne warns that there are many dangers with the concept of malware we might be willing to allow into our ecosystems. There’s nothing to say altruistic code may eventually reveal itself to have malicious intentions further down the line, or that cyber criminals may eventually copy and re-tool the code for their own purposes – something that has happened with nation-state malware, and a reason white worms never became a common sight.

“Even if well intended, the risk of altruistic malware could be quite high, which makes me nervous of the fundamental model versus pushing more responsibility onto the makers of technology to do the job better. But it is mightily interesting and I do give a hat tip of “isn’t that clever” to whoever’s responsible.”