Malwar! Hajime IoT botnet fights back against Mirai
Malwar! Hajime IoT botnet fights back against Mirai

Malwar! Hajime IoT botnet fights back against Mirai

A new malware worm known as Hajime has infected as many as 10,000 IoT devices, but has so far caused no damage.

Discovered by security researchers at Rapidity Networks in October 2016, Hajime is known to have wormed its way into DVRs, CCTV cameras and internet routers.

The malware is similar in form to Mirai, which was recently used to create botnets to mine Bitcoins, as it requires in-built username and password data to brute-force its way into improperly secured IoT devices.

According to security expert Graham Cluley, however, the worm is different in that, upon, infection, it conceals its running processes and files on the system.

The news comes just weeks after the announcement that a new strain of the IoT/Linux botnet Tsunami, called Amnesia, was targeting an unpatched remote code execution vulnerability in DVR devices.

Hajime: Malware of the good kind

Interestingly, the worm’s purpose is not clear and is being what Cluley calls a “good IoT worm” for the message it displays in infected devices:

‘Just a white hat, securing some systems.
Important messages will be signed like this!
Hajime Author.
Contact CLOSED
Stay sharp!’

The message may indicate, as per a blog post from Waylon Grange, a senior threat researcher at Symantec, that the malware is the work of an ethical hacker.

Some proof of this could lie in the fact that Hajime blocks access to ports 23, 7547, 5555, and 5358 which improves the security of devices against Mirai.

Frustrated vigilante or unlawful hacker?

Hajime, meaning beginning, is spreading quickly, according to Symantec. Grange says the company “has tracked infections worldwide, with large concentrations in Brazil and Iran. It is hard to estimate the size of the peer-to-peer network, but modest estimates put it in the tens of thousands.”

Chris Doman, a security researcher at AlienVault, said he “can see why a frustrated security expert might take the opportunity to take things into their own hands.

“Laws have been very slow to respond to the threat posed by insecure IoT devices.”

This is not the first case of a good worm being used by a vigilante. In 2014, the Linux.Wifatch malware attempted to secure IoT devices in much the same way as Hajime is now, and, as Doman emphasized, in 2001, the “Code Green worm went around patching systems vulnerable to the Code Red worm.”

While Hajime may not have caused damage, Graham Cluley correctly points out that “hacking is still hacking. Even if better security is its intention, malware that logs into a device and changes its configuration settings without a user’s consent violates the law.”

Read more: IoT Security: Keep your finger on the trigger, but there’s no golden bullet

Blossoming botnet market

Commenting on the recent growth in infected IoT devices, Itsik Mantlin, director of security research at Imperva, said the current security situation is disturbing.

“What most disturbs me here is the fact that this trend is likely to stay with us for at least a couple of years,” Mantlin said.

“Existing botnets remain active until the devices are patched or retired, which in IoT devices can take years. Moreover, new connected devices are still being released to the field without adequate protection, providing easy prey for the next IoT worm.

“The power of this number of bot soldiers can be used in many various ways. Are we expected to see from this botnet intensive DDoS attacks on victim web servers like Mirai, distributed brute force attempts on login pages, or scanning web sites for SQL injection vulnerabilities?

“With botnets becoming a commodity, and the botnet-for-hire market flourishing, my guess is that we will see some of all of the above.”

Read more: Search Lab finds numerous flaws in AVTech cameras and DVRs