The Hajime IoT worm fights the Mirai botnet for control of your devices

But what are its intentions?

Hajime IoT worm

A relatively new malware family known as Hajime is worming its way through DVRs, CCTV systems, and other poorly-protected Internet of Things (IoT) devices.

First discovered by Rapidity Networks' security researchers in October 2016, the worm is similar to Mirai in that it uses built-in username and password combinations to brute-force its way into unsecured devices with open Telnet ports.

But Hajime does differentiate itself from other IoT malware in several important respects. Upon successful infection, the worm conceals its running processes and files on the file system.

It also doesn't rely on a command and control server (C&C) but instead leverages a peer-to-peer network to send command modules to all its infected devices, which makes the malware more resistant to takedowns.

These techniques have helped Hajime grow over time. Symantec's senior threat researcher Waylon Grange elaborates on this point in a blog post:

"Over the past few months, Hajime has been spreading quickly. Symantec has tracked infections worldwide, with large concentrations in Brazil and Iran. It is hard to estimate the size of the peer-to-peer network, but modest estimates put it in the tens of thousands."

Hajime 1

Top 10 Hajime-infected countries. (Source: Symantec)

At this time, the purpose of Hajime remains unknown. The malware currently doesn't pass off distributed denial of service (DDoS) capabilities to its bots. Instead it displays a message that says a "white hat" is "securing some systems."

Just a white hat, securing some systems.
Important messages will be signed like this!
Hajime Author.
Contact CLOSED
Stay sharp!

Sure enough, the worm does block access to ports 23, 7547, 5555, and 5358, common entry points for Mirai and other threats.

This isn't the first time we've seen a "good" IoT worm.

Who can forget the Nemotode project that disappeared almost as quickly as it arrived?

The problem with these initiatives boils down to the fact that hacking is still hacking. Even if better security is its intention, malware that logs into a device and changes its configuration settings without a user's consent violates the law. Ultimately, it's up to users (and the device manufacturers, of course) to take security seriously.

But there's something else that complicates Hajime even further.

The "white hat" refers to themselves as "Hajime Author" in the message even though the word "Hajime" doesn't show up in the malware's binaries, which could suggest the author reviewed Rapidity Networks' report. Corroborating this view, several bugs first identified in the study are no longer present in the malware's code. Perhaps the author used the report as free quality assurance.

Grange doesn't like this possibility one bit:

"In this case, helping the author fix the bugs may not have caused that much damage, but the thought of security researchers inadvertently assisting malware authors is worrying. There is a fine balance between deciding how much information to put into a malware report to help IT teams identify compromises, while at the same time not exposing so much information as to serve as training and critical review for the attackers. Highlighting mistakes in malware is rarely worth it as it provides very little actionable intelligence for defenders. Just like in poker, security researchers must remember to never show someone their hand if they don’t have to."

Whether good or bad, a malware infection on an IoT device is unwanted. Users should therefore do everything they can to secure a product they purchase. This begins with researching each device carefully before they purchase it, changing the default credentials on those products, and disabling remote access.

Tags: , , , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , , , ,

2 Responses

  1. john

    April 20, 2017 at 10:57 am #

    Would this affect YouView boxes as well? Only last month woke up to find my YouView had gone into maintenance mode all by it's self never done that before

    • Graham Cluley in reply to john.

      April 20, 2017 at 2:34 pm #

      Don't know enough about YouView boxes I'm afraid. You may wish to contact the vendor for support – remember incompetence and cockup are often the explanation for a screw-up rather than malevolence.

Leave a Reply