Security Experts:

White Hat Hacker Created Mysterious IoT Worm, Symantec Says

Hajime IoT Worm Appears to be Work of White Hat Hacker

An Internet of Things (IoT) worm that targets the same devices as the infamous Mirai botnet appears to be the work of a white hat hacker, Symantec researchers say.

Dubbed Hajime, the worm was initially discovered in October, just weeks after Mirai’s code emerged online, and Rapidity Networks researchers estimated at the time it had infected between 130,000 and 185,000 devices. The malware was using the same username and password combinations as Mirai, and was focused on compromising the very same insecure IoT devices.

At the time, however, Rapidity Networks suggested that the malware could be only a research project, as it had no other components than the spread module. Basically, while Mirai remains focused on ensnaring devices to abuse them in distributed denial of service (DDoS) attacks, Hajime doesn't appear to have a malicious component.

Six months later, nothing has changed in this regard, and the worm continues to pack only the spread module, with its actual purpose still a mystery, Symantec says. However, the security researchers do note that the malware installs a backdoor on the compromised devices, which could be used for nefarious purposes.

At the moment the malware only fetches a statement from its controller and displays it on the terminal approximately every 10 minutes, researchers say. The statement claims that a white hat is behind the code, and that they are “securing some systems.”

The operator has the option to open a shell script to any infected machine in the network at any time, and has designed Hajime to accept only messages signed by a hardcoded key. Thus, it’s clear that the message Hajime displays on the terminal comes from the author.

Hajime is a peer-to-peer botnet, meaning that there is no single command and control (C&C) address that it has to connect to when receiving commands. Instead, its operator can push commands to the network and wait for them to propagate to all peers over time.

The malware appears more advanced compared to Mirai, and researchers discovered that it takes multiple steps in an attempt to hide its presence on the system. Courtesy of Hajime’s modular design, the operator can add new capabilities to it on the fly. According to Symantec, the author has invested a “fair amount of development time” in this creation.

“However, there is a question around trusting that the author is a true white hat and is only trying to secure these systems, as they are still installing their own backdoor on the system. The modular design of Hajime also means if the author’s intentions change they could potentially turn the infected devices into a massive botnet,” the security firm explained.

On the other hand, once it has infected a device, the malware attempts to improve security by blocking access to ports 23, 7547, 5555, and 5358. These ports are already known to be hosting services that are exploitable by many threats, including Mirai.

Hajime’s behavior is similar to that of the Wifatch, also known as the “vigilante malware,” and isn’t viewed as an effective approach to securing IoT devices. The effects of white worms are only temporary, because the changes are made only in RAM and cannot persist reboots.

“Once the device is rebooted it goes back to its unsecured state, complete with default passwords and a Telnet open to the world. To have a lasting effect, the firmware would need to be updated. It is extremely difficult to update the firmware on a large scale because the process is unique to each device and in some cases is not possible without physical access,” Symantec said.

This also means that there’s a constant battle between Hajime, Mirai and other IoT malware out there to take over exposed devices. This battle is a cycle that repeats after each device reboot. Only newer, more secure firmware can end it, researchers say.

As it turns out, the worm’s author is keeping tracks of reports on the malware, and has adopted the Hajime name after Rapidity Networks called the threat this way last year, to keep it in line with Mirai’s Japanese naming (Mirai means “future” in Japanese, Hajime means “beginning”). Further, it appears that the author also addressed some bugs in the code after security researchers pointed them out in their October report.

According to Symantec, while it’s difficult to estimate the size of the network, “modest estimates put it in the tens of thousands.” The researchers also reveal that most of the infected machines are located in Brazil (19%), followed by Iran (17%), Thailand (11%), Russian Federation (11%), Turkey (8%), Vietnam (8%), Argentina (7%), Australia (7%), China (6%), and Taiwan (6%).

“What is needed to protect organizations from the perils of vulnerable IoT devices is a least privilege approach. IoT devices should be hard coded to only communicate with the local server or the manufacturer’s server across the Internet. Organizations should define policies aligned to the IP addresses and layer 4 ports these devices must use to operate and deny all others. Network Traffic Analysis technologies can be used to monitor traffic to and from IoT devices and alert if they send or receive any traffic that falls outside the least privilege policy,” Bob Noel, Director of Strategic Relationships and Marketing for Plixer International, told SecurityWeek in an emailed statement.

Related: IoT Worm "Hajime" Uses BitTorrent Protocols for Communications

Related: New Mirai Variant Unleashes 54-Hour DDoS Attack

view counter