Hajime, a vigilante's IoT malware against Mirai

[Parsh]

'Hajime', an IoT malware strain discovered last October, appears to be the work of a vigilante who has set out to take over and neutralize as many smart devices as possible before other botnets like Mirai can.
While Hajime was first observed last year, it only recently became apparent to researchers that the author of this malware had no intention of using infected devices for evil.

What is it up to then?

For the past six months, Hajime has been using its self-replication module to fight with Mirai DDoS and other IoT botnet for control over IoT devices.
Once Hajime infects a device it blocks access to the famous ports 23, 7547, 5555, and 5358.
After that, Hajime also contacts its command and control server and returns a cryptographically-signed message every ten minutes.
The message, which is displayed on the device's terminal, reads as follows:

Just a white hat, securing some systems.
Important messages will be signed like this!
Hajime Author.
Contact CLOSED
Stay sharp!

Unfortunately, Hajime's actions aren't permanent, because just as Mirai, the worm and its actions are removed from infected hosts when the owner reboots his device. This is why Hajime and Mirai are entangled in an infinite loop for control over these devices.
One day Mirai may be using your DVR to launch DDoS attacks against a gaming company, while the next day Hajime will be closing the DVR's ports. As the device is rebooted, the cycle repeats in an endless loop, depending on what malware strain first reaches the device.

Furthermore, Hajime also got a helping hand from another malware strain called BrickerBot, which also appears to be the work of another Internet vigilante.
According to Grange, this tactic appears to have been a success as Hajime spread quickly across the globe, already taking over and neutralizing a large number of devices in countries such as Brazil, Iran, and Russia.

 

[Winter Soldier]

BTW this is a dangerous chapter of the new generation of IoT malware.

 

[In2an3_PpG]

Very interesting. Did not know this existed.

Thanks for the share. @Parsh

 

[Parsh]

Very interesting. Did not know this existed.

Thanks for the share. @Parsh

The factor 'Vigilante' is what catches the eye!
And if this report is fresh, then we can say it took good time for the analysts and pro hackers to understand and publish the intent of the said good malware.

Hajime was worked upon soon after Mirai's source code was released and it includes the same usernames and password combinations used by Mirai, showing a clear intention to target the same device-base Mirai was after.

 

[Solarquest]

Mysterious Hajime botnet has pwned 300,000 IoT devices

Hajime – the "vigilante" IoT worm that blocks rival botnets – has built up a compromised network of 300,000 malware-compromised devices, according to new figures from Kaspersky Lab.

The steadily spreading Hajime IoT worm fights the Mirai botnet for control of easy-to-hack IoT products. The malware is billed as a vigilante-style internet clean-up operation but it might easily be abused as a resource for cyber-attacks, hence a growing concern among security watchers.

Hajime, like Mirai before it, takes advantage of factory-set (default) username and password combinations to brute-force its way into unsecured devices with open Telnet ports. The malware was first discovered [PDF] by security researchers at Rapidity Networks in October 2016. Since then it has spread steadily but inexorably. Most of the targets have turned out to be Digital Video Recorders, followed by webcams and routers, according to Kaspersky Lab.

Hajime avoids several networks, including those of General Electric, Hewlett-Packard, the US Postal Service, the United States Department of Defense, and a number of private networks. Infections had primarily come from Vietnam (over 20 per cent), Taiwan (almost 13 per cent) and Brazil (around 9 per cent).

The resiliency of Hajime surpasses Mirai, security researchers say. Features such as a peer-to-peer rather than centralised control network and hidden processes make it harder to interfere with the operation of Hajime (meaning "beginning" in Japanese) than comparable botnets.

Botnets of compromised devices can be harnessed for a variety of cyber-crimes ranging from DDoS attacks on targeted web sites to running credential-stuffing attacks or scanning websites for SQL injection vulnerabilities. The malware – which is not doing anything malign, at least for now – displays a message that says a "white hat" is "securing some systems". The worm blocks access to ports 23, 7547, 5555, and 5358, common entry points for the rival Mirai worm and other threats.

There is no attacking code or capability in Hajime – only a propagation module. Despite its (current) benign state Hajime is a still concern, not least because the malware's real purpose remains unknown.

"The most intriguing thing about Hajime is its purpose. While the botnet is getting bigger and bigger, its objective remains unknown. We have not seen its traces in any type of attack or additional malicious activity. Nevertheless, we advise owners of IoT devices to change the password of their devices to one that's difficult to brute force, and to update their firmware if possible," said Konstantin Zykov, senior security researcher at Kaspersky Lab.