First identified in October 2016 by Rapidity Networks, Hajime has reportedly infected approximately 100,000 devices across the globe. According to PC World’s Michael Kan, Hajime scans the internet for vulnerable IoT devices such as cameras, DVRs and routers that have open Telnet ports and use default passwords.
“[Hajime] compromises them by trying different username and password combinations and then transferring a malicious program,” Kan explained.
“However, Hajime doesn’t take orders from a command-and-control server like Mirai-infected devices do. Instead, it communicates over a peer-to-peer network built off protocols used in BitTorrent, resulting in a botnet that’s more decentralized – and harder to stop.”
Interestingly, security researchers are unsure as to who is behind Hajime. To add to the mystery, the Hajime botnet has yet to launch any DDoS attacks.
“There’s been no attribution. Nobody has claimed it,” Pascal Geenens, a security researcher at security vendor Radware, told PC World. “[Nevertheless], it’s a big threat forming. At some point, it can be used for something dangerous.”
Meanwhile, Arxan CMO Mandeep Khera told ThreatPost that while “no one knows for sure” who created Hajime, it is quite likely a vigilante white hat hacker designed the IoT malware strain to counter any future attacks from Mirai and other botnets.
Travis Smith, senior security research engineer at Tripwire, expressed similar sentiments, as Hajime triggers the command and control system to send the following message to the device’s terminal every 10 minutes: “Just a white hat, securing some systems. Important messages will be signed like this! Hajime Author. Contact CLOSED Stay sharp!”
As Smith notes, there been quite a few examples of vigilante malware in recent years.
“The danger with any of these, including Hajime, is that there may be collateral damage to the devices,” he told ThreatPost. “One mistake in the exploit, or shutting down a port that’s being used by the device, can render the device unusable to the actual owner. What happens if the malware infects critical infrastructure by accident and takes the device offline? Even the best intentions can have negative consequences.”
Indeed, Symantec’s Waylon Grange cautions that it remains unclear if Hajime’s creator is a true white hat attempting to secure IoT devices, as the malware still installs its own backdoor on a system.
“The modular design of Hajime also means if the author’s intentions change they could potentially turn the infected devices into a massive botnet,” Grange wrote in a blog post earlier this month. “To the author’s credit, once the worm is installed it does improve the security of the device. It blocks access to ports 23, 7547, 5555, and 5358, which are all ports hosting services known to be exploitable on many IoT devices. Mirai is known to target some of these ports.”
In addition, says Grange, once a (Hajime) compromised device is rebooted it reverts to an unsecured state – complete with default passwords and a Telnet open to the world.
“To have a lasting effect, the firmware would need to be updated. It is extremely difficult to update the firmware on a large scale because the process is unique to each device and in some cases is not possible without physical access. And so, we are left with embedded devices stuck in a sort of Groundhog Day time loop scenario,” Grange stated. “One day a device may belong to the Mirai botnet, after the next reboot it could belong to Hajime, then the next any of the many other IoT malware/worms that are out there scanning for devices with hardcoded passwords. This cycle will continue with each reboot until the device is updated with a newer, more secure firmware.”
Interested in learning more about protecting IoT endpoints? You can download our eBook on the subject below.