In a bizarre turn of events Symantec reports in a recent blog of a virus that's spreading in the wild and appears, at least at this stage, to be benevolent.
According to Symantec the Wifatch code infects routers and "Internet of Things" devices and forms a peer to peer network of compromised devices. The twist however is that this particular code appears to make devices more secure from further hacking attempts.
Wifatch's code is unobfuscated and contains no malicious payloads, but the thing that makes it really unusual is that it attempts to treat other malware infections present on the compromised device. In addition the code closes the vulnerable Telnet daemon on compromised devices leaving a warning for the device owner telling them that the service has been disabled, and further advising them to update their firmware/change passwords.
The threat author has also left the following comment in the source code which references software freedom activist Richard Stallman's email signature and reads as follows.
Symantec point out that the devices are potentially exploitable by the Wifatch author as they contain a number of general purpose backdoors, however after several months of monitoring Symantec hasn't witnessed any attempt to abuse Wifatch compromised devices.
Symantec discusses this further in their blog entry here.
