The Mirai malware that has created massive botnets out of hijacked Internet of Things devices has met a formidable opponent in Hajime, a rival IOT worm whose intent may possibly be to declaw Mirai.
According to a new blog post analysis from Symantec Corporation, Hajime has been quickly spreading worldwide over the last few months, accumulating at least tens of thousands of bots since first being discovered and subsequently disclosed in October by researchers at Rapidity Networks.
Symantec has detected especially large clusters of infections in Brazil and Iran, whose native IoT devices represent 19 and 17 percent of total infections, respectively. (Thailand and Russia are third, with 11 percent of Hajime infections each.)
Based on its own honeypot network data, Rapidity Networks in October extrapolated that Hajime at the time was likely executing 260-370 billion infected attempts per day and had already successfully compromised somewhere between 130,000 and 185,000 devices.
Unlike Mirai, which has been used to mine bitcoins and launch high-bandwidth distributed denial of service attacks, Hajime appears to have no malicious functionality. Rather, it is built primarily to propagate itself, while also defending infected machines against Mirai-type attacks by closing off their open, vulnerable Telnet ports.
Hajime also displays a message on affected terminals approximately every 10 minutes, which reads: "Just a white hat, securing some systems. Important messages will be signed like this! Hajime Author. Contact CLOSED Stay sharp!" Such behaviour, Symantec noted, suggests that Hajime may be the work of a white-hat hacker, perhaps looking to suppress Mirai's malicious handiwork. (In light of these revelations, SC Media has reached out to Rapidity Network for its own latest analysis on the malware.)
Although Hajime appears innocuous, and maybe even benevolent in nature, it is not without its concerns. Waylon Grange, senior malware researcher at Symantec (and author of his company's Hajime blog post) acknowledged in an interview with SC Media that there is currently "no hard evidence that Hajime is actually affecting Mirai" in terms of its size and scope.
Moreover, rebooting a device infected by Hajime would reopen its vulnerable ports again, leaving it susceptible once again to Mirai. "And so, we are left with embedded devices stuck in a sort of Groundhog Day time loop scenario," Grange wrote in the blog post. "One day a device may belong to the Mirai botnet, after the next reboot it could belong to Hajime, then the next any of the many other IoT malware/worms that are out there scanning for devices with hardcoded passwords. This cycle will continue with each reboot until the device is updated with a newer, more secure firmware."
And finally, Grange warned that a malware author's intentions can always change so long as he has backdoor control of a device or machine.
Rapidity Network gave Hajime its name because it is the Japanese word for "beginning," while Mirai is translated as "future." Both malware programs scan the internet for IoT devices with open ports and vulnerable default passwords, but beyond this their differences become apparent.
For instance, Hajime propagates itself via a decentralised peer-to-peer network rather than a more traditional command-and-control model like its predecessor Mirai. "Hajime's... network is designed after some common peer-to-peer networks like those used by Bittorrent," Grange told SC Media. "This provides a large amount of redundancy," making takedowns more difficult to execute.
"In a typical botnet takedown, the idea is to take out the command-and-control server. Without it, the botnet won't know where to get commands from," Grange continued. "In a peer-to-peer network all the peers get their information from connecting to each other, [so] there is no central place to hit to bring it down. The controller simply selects from random one node, passes it the message... and tells it to spread the word."
In his blog post, Grange also noted that Hajime is stealthier than Mirai because it takes measures to concept its processes and hide its files.
Furthermore, Hajime's author "can open a shell script to any infected machine in the network at any time, and the code is modular, so new capabilities can be added on the fl," Grance wrote." It is apparent from the code that a fair amount of development time went into designing this worm."
Grange told SC Media that Hajime and Mirai infect many of the same kinds of IoT devices, with a few notable exceptions. "Mirai targets some processor types that Hajime doesn't -- namely ppc, sh4, sparc, and x86 processors. It's unclear why Hajime doesn't target those devices," said Grange. "[An] earlier version of Hajime did have a x64 build but that seems to have fallen off in the most recent version of the malware."