Hajime IoT worm infects devices to head off Mirai

Mirai is the name of the worm that has taken control of many IoT devices around the world and used them to mount DDoS attacks, the most high-profile of which was directed against US-based DNS provider Dyn and resulted in many websites and online services being inaccessible for hours on end.

Hajime IoT worm

Its source code was leaked by the author, which lead to the creation of more botnets, and an increased fear that we’ll soon witness another attack of this magnitude or even more of them with even worse results.

The security community has been grumbling about the insecurity of the Internet of Things before the Dyn attack and especially after it. Unfortunately, there seems to be a general unwillingness or, at least, a maddening sluggishness in the reactions of those who can and should attempt to fix the problem (i.e. IoT manufacturers and legislators).

It’s no wonder, then, that some individuals who should not interfere with these devices have taken it upon themselves to do so, in an attempt to secure them before other malware takes hold.

The latest attempt of this kind has been performed via the Hajime worm.

Hajime: The “Beginning”

Hajime is a piece of malware that works much like Mirai: it spreads via unsecured devices that have open Telnet ports and use default passwords.

“In fact, Hajime uses the exact same username and password combinations that Mirai is programmed to use, plus two more,” Symantec researchers noted.

But unlike Mirai, it also:

  • Secures the target devices by blocking access to ports 23, 7547, 5555, and 5358, i.e. ports hosting exploitable services on many IoT devices
  • It takes steps to conceal its running processes and hide its files on the file system
  • Is built on and controlled via a peer-to-peer network (not through a C&C server), so a takedown of the botnet is made more difficult
  • Does not have DDoS capabilities or attack code (for now).

The interesting thing about Hajime is that it was named in October 2016 by Rapidity Networks researchers, who first spotted it in the wild and analyzed it. The name means “beginning” in Japanese, and is a nod to Mirai (Japanese for “future”).

Hajime’s author was obviously happy with it, and he dubbed himself “Hajime author” in the message the worm shows on the compromised devices’ terminal.

“The (…) message is cryptographically signed and the worm will only accept messages signed by a hardcoded key, so there is little question that this message is from the worm’s true author,” the researchers noted. In the message, the Hajime author states his or her intention to secure devices, and says that we can expect more important messages in the future.

Another interesting thing is that, after Rapidity Networks researchers noted a few design flaws in the worm, the author used their pointers to fix them and improve the malware.

The problem with the Hajime IoT worm

It’s really tempting to say “Someone’s finally doing something about the threat of hijacked IoT devices!”, but there are many things about this situation that are or could become a problem.

For one, Hajime has no persistence mechanism. It is loaded in the devices’ RAM, and is flushed out each time they are rebooted.

“Once the device is rebooted it goes back to its unsecured state, complete with default passwords and a Telnet open to the world,” Symantec researchers pointed out.

“One day a device may belong to the Mirai botnet, after the next reboot it could belong to Hajime, then the next any of the many other IoT malware/worms that are out there scanning for devices with hardcoded passwords. This cycle will continue with each reboot until the device is updated with a newer, more secure firmware.”

Secondly, how can we ever know for sure that Hajime’s author won’t add attack capabilities to the worm and use the botnet for malicious purposes? It is estimated that the botnet encompasses tens of thousands, and possibly even more devices, and can easily be used for devastating attacks.

Hajime IoT worm infections around the world

Hajime is not the first piece of malware that has been used to (illegally!) secure IoT devices from other threats, and I’m sure it won’t be the last.

Until stakeholders show the will to come up with better solutions for protecting the IoT, there will be vigilantes who will attempt to implement their own fixes.