REINCARNA Linux.Wifatch Malware Whitehat Backdoor made by the good guys? How illegal is this?

iMyFone LockWiper

So last night I did a little banner grabbing from some IP ranges that have been historically extremely insecure, I”m not a blackhat hacker anymore so my intentions weren’t to exploit these hopeless incompetent victims but I would have notified them. I have considered the idea of compromising them just to patch them and save them from themselves but I don’t need issues from the fuzz. While banner grabbing I started noticing a trend, someone else had the same idea that I did, since security isn’t common in these ranges a whitehat hacker decided to take measures into his own hands and compromise entire netranges to backdoor and patch them.

Realistically, a huge percentage of accessible Linux, Solaris, Irix, *BSD, SCO, Ultrix and other *nix based servers are compromised. The backdoors used are extremely hard to detect, for instance some of the underground backdoors that I’ve had my hands on trojan sshd/telnetd/ftpd and allow remote root access with special keys, an example of one of my favorites was bj.c which never was released publicly and I had that back in 1999 which would defeat tripwire and every other pathetic host based security solutions for *nix. BJ.c would work by replacing the telnet daemon, SSH or ftp daemons allowing the hacker to login remotely over port 21,22,23 (which ever you wanted) by setting a term value in the code. An example would be TERM=vs690 telnet 1.1.1.1 and you would be dropped into a rootshell without creating entries in /etc/messages, syslog, utmp or any other logs. The SSH backdoor version would use encryption and a special username that wouldn’t show up in /etc/passwd or anywhere else for that matter. Simply doing a ssh j00rpwn3d@1.1.1.1 would drop you into a rootshell. Since these underground private backdoors have never been released and white hat hackers typically only have academic knowledge they have never been detected by any host based security solution I’ve seen as I have submitted them for scanning over the years with a zero percent detection rate. The only chance of detecting these backdoors on your network is by using network traffic monitoring tools to identify odd incoming traffic over periods of time with large packet counts and be smart enough to know something seems off. I would recommend re-imaging if you see traffic that seems off as this is the case because Ncase, qtip or whatever your using won’t find them. I have literally seen these backdoors stay on systems for 10+ years and usually aren’t mitigated until the OS is actually updated.

 

Is this legal? uhhh….well…..No! Is it morally and ethically right? I would have to lean on the side of YES! I scanned ten /16 ranges that in the past I could own virtually anything public facing and this hacker had compromised and backdoored over 1200 hosts that I counted. I would suspect that based off the small sample size he/she has compromised over 10,000 hosts on the Internet.

 

I am going to examine the backdoor that REINCARNA is using and examine the source code of Linux.Wifatch which is available at https://gitlab.com/rav7teif/linux.wifatch to see if these hosts really are only being compromised to protect them, on the surface that seems very unrealistic as this would take a considerable amount of time unless a worm was launched to auto compromise and patch these hosts but that would be extremely risky as the worm could attempt to exploit hosts of foreign governments and military systems. Even as a blackhat in the old days I avoided hacking government hosts, 2600 defacements using one of my various tag names would support this although legally I’m not admitting I had anything to do with them.

 

Banner grabbing is not illegal, so here is an example of a few hosts that I came across that were hacked by REINCARNA supposedly for their protection.

 

Add your comments to the section below – I am interested to see the opinions of other security professionals and outside sources on this practice and should this “good guy” hacker be brought to justice? Given the ranges I was scanning he might be compromising hosts that don’t commonly extradite or he himself may live in a place without extradite laws. The e-mail listed is a Russian one but as any hacker knows, you conceal your true identity, he would very well be living in California, USA

 

root@wittyserver:~# telnet 91.220.205.*
Trying 91.220.205.*…
Connected to 91.220.205.*.
Escape character is ‘^]’.

REINCARNA / Linux.Wifatch

Your device has been infected by REINCARNA / Linux.Wifatch.

We have no intent of damaging your device or harm your privacy in any way.

Telnet and other backdoors have been closed to avoid further infection of
this device. Please disable telnet, change root/admin passwords, and/or
update the firmware.

This software can be removed by rebooting your device, but unless you take
steps to secure it, it will be infected again by REINCARNA, or more harmful
software.

This remote disinfection bot is free software. The source code
is currently available at https://gitlab.com/rav7teif/linux.wifatch

Team White <rav7teif@ya.ru>

Connection closed by foreign host.

root@wittyserver:~# telnet 91.220.204.*
Trying 91.220.204.*…
Connected to 91.220.204.*.
Escape character is ‘^]’.

REINCARNA / Linux.Wifatch

Your device has been infected by REINCARNA / Linux.Wifatch.

We have no intent of damaging your device or harm your privacy in any way.

Telnet and other backdoors have been closed to avoid further infection of
this device. Please disable telnet, change root/admin passwords, and/or
update the firmware.

This software can be removed by rebooting your device, but unless you take
steps to secure it, it will be infected again by REINCARNA, or more harmful
software.

This remote disinfection bot is free software. The source code
is currently available at https://gitlab.com/rav7teif/linux.wifatch

Team White <rav7teif@ya.ru>

Connection closed by foreign host.

root@wittyserver:~# telnet 91.220.204.*
Trying 91.220.204.*…
Connected to 91.220.204.*.
Escape character is ‘^]’.

REINCARNA / Linux.Wifatch

Your device has been infected by REINCARNA / Linux.Wifatch.

We have no intent of damaging your device or harm your privacy in any way.

Telnet and other backdoors have been closed to avoid further infection of
this device. Please disable telnet, change root/admin passwords, and/or
update the firmware.

This software can be removed by rebooting your device, but unless you take
steps to secure it, it will be infected again by REINCARNA, or more harmful
software.

This remote disinfection bot is free software. The source code
is currently available at https://gitlab.com/rav7teif/linux.wifatch

Team White <rav7teif@ya.ru>

Connection closed by foreign host.

Please follow and like us: