Symantec is monitoring the Hajime IoT malware, is it the work of vigilante hacker?
20.4.2017 securityaffairs IoT
Symantec observed the Hajime IoT malware leaving a message on the devices it infects, is it the work of a cyber vigilante?
The Mirai botnet is the most popular thingbot, it is targeting poorly configured and flawed ‘Internet of Things’ devices since August 2016, when the threat was first discovered by the researcher MalwareMustDie.
Many other bots threaten the IoT landscape, but recently an antagonist appeared in the wild, its name is Hajime.
Hajime has been spreading quickly in the last months, mostly in Brazil and Iran.
The Hajime malware was first spotted in October 2016, it used the same mechanism implemented by Mirai to spread itself. The threat targets unsecured IoT devices with open Telnet ports and still used default passwords. Researchers discovered Hajime uses the same list of username and password combinations that Mirai, plus two more.
Unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.
“There isn’t a single C&C server address, instead the controller pushes command modules to the peer network and the message propagates to all the peers over time. This is typically considered a more robust design as it makes takedowns more difficult.” reads the analysis published by Symantec.
Hajime is more sophisticated than Mirai, it implements more mechanisms to hide its activity and running processes. The threat has a modular structure allowing operators to add new capabilities on the fly.
The analysis of the Hajime reveals that it doesn’t implement denial of service (DDoS) capabilities or any other attacking code. Symantec researchers noticed that Hajime fetches a statement from its controller and displays it on the terminal every 10 minutes. The message is:
Just a white hat, securing some systems. Important messages will be signed like this!
The message is digitally signed and the worm will only accept messages signed by a hardcoded key. Once infected a system, the worm blocks access to ports 23, 7547, 5555, and 5358, in order to prevent attacks from other IoT threats, including Mirai.
Experts believe Hajime could be the work of a cyber vigilante, in the past we have observed similar codes like the Linux.Wifatch discovered by Symantec in October 2015.
“The problem with these white worms is that they usually turn out to have a short lifespan. That is because their effects are only temporary. On the typical IoT system affected by these worms the changes made to improve the security are only in RAM and not persistent.” observed Symantec.
In the broadcast message, the author refers to themselves as the “Hajime Author” but the name Hajime appears nowhere in the binaries. The name “Hajime” didn’t come from the author, but from the researchers who discovered the malware.
“This shows that the author was aware of the researchers’ report and seemed to have liked the name.” concluded the analysis.
Experts from Symantec also discovered bugs in the Hajime IoT malware and provided signatures for detecting them.