Hajime Botnet Continues to Grow: Is It Friend or Is It Foe?
The explosion of internet-connected devices, known as the Internet of Things (IoT), has vastly increased the threat surface available for cyber criminals and bad actors to exploit. All too often, these IoT devices are deployed using default username and password credentials leaving them extremely vulnerable to compromise. Recently two worms, Hajime and Mirai, which have both similarities and differences, have been successfully recruiting IoT devices by the thousands into their own botnets. Mirai has already proven it was built as a platform for DDoS attacks; however, the purposes for Hajime remain unclear.A Different Approach
Hajime and Mirai are similar to each other in that they both use open Telnet ports (port 23) to gain access to IoT devices and they both take a brute force approach to compromising default passwords; but after that, they take very different approaches. Mirai uses a command and control server for communication channels, whereas Hajime spreads in a peer-to-peer (P2P) fashion by using Bit Torrent’s DHT (Distributed Hash Tables) protocol for peer discovery and the Micro Transport Protocol (µTP) for data exchange. The use of BitTorrent’s established and dynamic P2P communication channel makes it more difficult for service providers to identify and filter Hajime’s traffic. Hajime also takes steps to hide its presence on the device. It removes itself from the device’s filesystem, and it alters its process name (in the device’s process list) to make it appear to be a common Telnet daemon program. Consensus within the security community is that Hajime is stealthier and better designed than Mirai, yet the intended purpose of Hajime’s author is still unknown.
Friend or Foe?
To date, Hajime's botnet has not taken any obviously aggressive actions. Other than its ability for self propagation, dynamically hiding its presence from the filesystem, and obfuscating its process name,it does not appear to be doing anything malicious. It does not adversely affect
the functionality of the infected device nor has it been the source of any DDoS attacks.
It does, however, take some other action on the infected device. Upon installation, external access to ports 23, 7547, 555, and 5358 is blocked. These just happen to be common ports used by Mirai to target devices. An explanation of this curious behavior may be found in the message that is displayed each time a new Hajime configuration file is downloaded. The message reads:“Just a white hat,securing some systems. Important messages will be signed like this! Hajime Author. Contact CLOSED Stay sharp!”
A Plausible Explanation
At first glance, it could be the work of a white hat; and this explanation seems plausible. A skilled professional, intent on helping to secure globally deployed IoT devices, creates their own more efficient worm designed to propagate across vulnerable devices, infect them and help prevent the spread of Mirai. If this is indeed the case, it would not be unprecedented. In 2014, a group calling themselves “The White Team” created and published the source code for Linux.Wifatch. Linux. Wifatch scans the Internet, looking for vulnerable devices using default passwords, infecting them and disabling remote Telnet access to the device. The group says their actions were driven by the intent of learning, understanding, having fun, and an altruistic goal of increasing security. The group says they “co-opted [devices] to help the general public (in a small way).” The other possibility for Hajime is that its nefarious purpose has not yet been revealed. Thanks to its P2P communication channels for updating the code, it is possible that at some time in the future, the code will be updated to leverage the botnet for some purpose that only its author knows.
Global Reach
Based on a recent report by SECURELIST, global Hajime infections stand at some where around 300,000 devices spread all over the world. Iran currently leads the way, representing 19.7 percent of infected devices, followed by Brazil (8.8 percent), Vietnam (7.9 percent), Russian Federation (7.5 percent), Turkey (6.2 percent), India (5.5 percent), Pakistan (4.7 percent), Italy (3.5 percent), Taiwan (3.5 percent), and others (29.5 percent).
Proactive Protection
Whether Hajime is truly the act of a white hat trying to limit the harmful effects of worms like Mirai, or a devious plan waiting to unfold, is yet to be seen. One thing that both Hajime and Mirai are doing is raising awareness of the dangers of deploying IoT devices with default user names and passwords. Other important actions should be taken to protect organizations as well. One of the most effective ways to protect oneself against the perils of vulnerable IoT devices is a least privilege deployment approach. IoT devices should be hard coded to only communicate with the local server or the manufacturer’s server across the Internet. Organizations should define policies aligned to the IP addresses and layer 4 ports these devices must use to operate and deny all others. Network Traffic Analysis technologies can be used to monitor traffic to and from IoT devices and alert if they send or receive any traffic that falls outside the least privilege policy.”
It does, however, take some other action on the infected device. Upon installation, external access to ports 23, 7547, 555, and 5358 is blocked. These just happen to be common ports used by Mirai to target devices. An explanation of this curious behavior may be found in the message that is displayed each time a new Hajime configuration file is downloaded. The message reads:“Just a white hat,securing some systems. Important messages will be signed like this! Hajime Author. Contact CLOSED Stay sharp!”
One of the most effective ways to protect one self against the perils of vulnerable IoT devices is a least privilege deployment approach
A Plausible Explanation
At first glance, it could be the work of a white hat; and this explanation seems plausible. A skilled professional, intent on helping to secure globally deployed IoT devices, creates their own more efficient worm designed to propagate across vulnerable devices, infect them and help prevent the spread of Mirai. If this is indeed the case, it would not be unprecedented. In 2014, a group calling themselves “The White Team” created and published the source code for Linux.Wifatch. Linux. Wifatch scans the Internet, looking for vulnerable devices using default passwords, infecting them and disabling remote Telnet access to the device. The group says their actions were driven by the intent of learning, understanding, having fun, and an altruistic goal of increasing security. The group says they “co-opted [devices] to help the general public (in a small way).” The other possibility for Hajime is that its nefarious purpose has not yet been revealed. Thanks to its P2P communication channels for updating the code, it is possible that at some time in the future, the code will be updated to leverage the botnet for some purpose that only its author knows.
Global Reach
Based on a recent report by SECURELIST, global Hajime infections stand at some where around 300,000 devices spread all over the world. Iran currently leads the way, representing 19.7 percent of infected devices, followed by Brazil (8.8 percent), Vietnam (7.9 percent), Russian Federation (7.5 percent), Turkey (6.2 percent), India (5.5 percent), Pakistan (4.7 percent), Italy (3.5 percent), Taiwan (3.5 percent), and others (29.5 percent).
Proactive Protection
Whether Hajime is truly the act of a white hat trying to limit the harmful effects of worms like Mirai, or a devious plan waiting to unfold, is yet to be seen. One thing that both Hajime and Mirai are doing is raising awareness of the dangers of deploying IoT devices with default user names and passwords. Other important actions should be taken to protect organizations as well. One of the most effective ways to protect oneself against the perils of vulnerable IoT devices is a least privilege deployment approach. IoT devices should be hard coded to only communicate with the local server or the manufacturer’s server across the Internet. Organizations should define policies aligned to the IP addresses and layer 4 ports these devices must use to operate and deny all others. Network Traffic Analysis technologies can be used to monitor traffic to and from IoT devices and alert if they send or receive any traffic that falls outside the least privilege policy.”
