Threat boffin Mario Ballano says VXers have broken into a host of routers creating a botnet dedicated solely to securing and hardening the devices.
The Symantec security man says the botnet first detected in November last year has not launched a single denial of service attack or undergone any form of black hat activity in the months it has been monitored.
Ballano says the Linux.Wifatch malware kills exposed Telnet services, preventing further attacks; destroys common embedded device malware; and leaves a text message that admins should change their passwords and update firmware.
"For all intents and purposes it appeared like the author was trying to secure infected devices instead of using them for malicious activities," Ballano says
"Wifatch’s code does not ship any payloads used for malicious activities, such as carrying out DDoS attacks, in fact all the hardcoded routines seem to have been implemented in order to harden compromised devices.
"We’ve been monitoring Wifatch’s peer-to-peer network for a number of months and have yet to observe any malicious actions being carried out through it."
The malware also contains an exploit for Dahua CCTV systems that reboots the devices weekly, in what appears to be an attempt to kill non-persistent malware infections.
Ballano says the VXer does not attempt to obfuscate the malware code and merely shrinks the file size.
Moreover the author has supplied handy commentary to assist researchers in debugging the malware.
The VXer appears to be a fan of Snowden and Stallman citing the former Linux lover's letter within the malware code.
"To any NSA and FBI agents reading this: please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden's example."
Ballano however still toes the anti-virus line and says the malware is still malicious code since it is an unauthorised intrusion and contains backdoors that could be used for black hat hacking.
Even still the backdoors rely on cryptographic signatures such that only commands from the authors command and control will be run.
Most infections are in ARM-based devices in China, Brazil, and Mexico and India. ®