A relatively new malware family known as Hajime is worming its way through DVRs, CCTV systems, and other poorly-protected Internet of Things (IoT) devices.
First discovered by Rapidity Networks’ security researchers in October 2016, the worm is similar to Mirai in that it uses built-in username and password combinations to brute-force its way into unsecured devices with open Telnet ports.
But Hajime does differentiate itself from other IoT malware in several important respects. Upon successful infection, the worm conceals its running processes and files on the file system.
It also doesn’t rely on a command and control server (C&C) but instead leverages a peer-to-peer network to send command modules to all its infected devices, which makes the malware more resistant to takedowns.
These techniques have helped Hajime grow over time. Symantec’s senior threat researcher Waylon Grange elaborates on this point in a blog post:
“Over the past few months, Hajime has been spreading quickly. Symantec has tracked infections worldwide, with large concentrations in Brazil and Iran. It is hard to estimate the size of the peer-to-peer network, but modest estimates put it in the tens of thousands.”
At this time, the purpose of Hajime remains unknown. The malware currently doesn’t pass off distributed denial of service (DDoS) capabilities to its bots. Instead it displays a message that says a “white hat” is “securing some systems.”
Just a white hat, securing some systems.
Important messages will be signed like this!
Sure enough, the worm does block access to ports 23, 7547, 5555, and 5358, common entry points for Mirai and other threats.
This isn’t the first time we’ve seen a “good” IoT worm.
The problem with these initiatives boils down to the fact that hacking is still hacking. Even if better security is its intention, malware that logs into a device and changes its configuration settings without a user’s consent violates the law. Ultimately, it’s up to users (and the device manufacturers, of course) to take security seriously.
But there’s something else that complicates Hajime even further.
The “white hat” refers to themselves as “Hajime Author” in the message even though the word “Hajime” doesn’t show up in the malware’s binaries, which could suggest the author reviewed Rapidity Networks’ report. Corroborating this view, several bugs first identified in the study are no longer present in the malware’s code. Perhaps the author used the report as free quality assurance.
Grange doesn’t like this possibility one bit:
“In this case, helping the author fix the bugs may not have caused that much damage, but the thought of security researchers inadvertently assisting malware authors is worrying. There is a fine balance between deciding how much information to put into a malware report to help IT teams identify compromises, while at the same time not exposing so much information as to serve as training and critical review for the attackers. Highlighting mistakes in malware is rarely worth it as it provides very little actionable intelligence for defenders. Just like in poker, security researchers must remember to never show someone their hand if they don’t have to.”
Whether good or bad, a malware infection on an IoT device is unwanted. Users should therefore do everything they can to secure a product they purchase. This begins with researching each device carefully before they purchase it, changing the default credentials on those products, and disabling remote access.