Mirai is not the biggest IoT worm anymore, as a battle is forming between the remains of the infamous botnet and a newly emerging family dubbed Hajime.
Initially discovered in October 2016, Hajime uses unsecured devices with open Telnet ports and default passwords, just like Mirai did. Interestingly, the new family employs the very same username and password combos used by Mirai, plus two more. However, similarities to Mirai end here.
How Similar Is Hajime to Mirai? Hajime IoT Worm Technical Overview
The very first big difference is that Hajime is built on a peer-to-peer network, whereas Mirai uses hardcoded addresses for the C&C server. Instead of a C&C server address, Hajime pushes command modules to the p2p network. As a result, the message gradually propagates to all the peers. Researchers believe this design is stronger than the one used by Mirai as it is more challenging to take it down.
The new IoT worm also has stealthier capabilities, and is more advanced than its predecessor. After the initial infection the threat would take several steps to hide its running processes as well as its files on the file system. Furthermore, the operator of the worm can open a shell script to any infected device in the network at any time. Researchers say that its code is modular meaning that new capabilities can be added in the go. All of this means that its coders took their time to make Hajime a stealthy and persistent IoT threat.
Symantec has reported that the worm has been spreading quite quickly during the past few months. The security company has detected infections on a global level, the highest levels registered in Brazil and Iran.
No DDoS Features
Hajime doesn’t have DDoS capabilities on any attacking code, the propagation code excluded. The worm fetches a statement from its controller and displays it on the terminal approximately every 10 minutes, Symantec explains. This is the current message:
Just a white hat, securing some systems.
Important messages will be signed like this!
This message is cryptographically signed. Hajime only accepts messages signed by a hardcoded key, so there is no doubt that the text is written by the author. However, researchers are questioning whether Hajime’s author is a true white hat as his intentions can quickly shift and could turn infected devices into a massive botnet.
Nonetheless, Symantec researchers are still doubtful of the origin and purpose of Hajime:
There is another aspect of the worm that stands out. In the broadcast message, the author refers to themselves as the “Hajime Author” but the name Hajime appears nowhere in the binaries. In fact, the name “Hajime” didn’t come from the author but rather from the researchers who discovered the worm and spotted similarities between it and the Mirai botnet and wanted to maintain the Japanese naming theme (Mirai means “future” in Japanese, Hajime means “beginning”). This shows that the author was aware of the researchers’ report and seemed to have liked the name.
How to Secure Your IoT Device?
Our guest blogger Martin Beltov has outlined some useful tips for configuring IoT devices in order for their security to be improved:
- Minimize Non-Critical Network Exposure – This is actually one of the simplest ways to minimize hacker attacks. This is also one of the easiest measures that device owners can implement. This policy mandates that all unused features and services that the user does not use should be switched off. If the device is a non-critical one (important services do not depend on it) it can also be switched off when not in use. A good firewall setup that prevents administrator access from external networks can protect against brute force attacks. Devices that serve important functions can be segmented into another zone from the primary work or home network.
- A Thorough Setup – Many intrusion attacks are carried by using two popular methods – brute force and dictionary attacks. They act against the authentication mechanisms of the appliances. System administrators can enforce a strong password policy and measures that defend against brute force attacks by adding intrusion detection systems. Using secure protocols is also a good idea – VPN and SSH with a proper security configuration.
- Security Updates – Not providing security updates to the owned appliances is probably one of the biggest problems that lead to intrusion attacks. It is important to perform regular updates.
- Implement Additional Security Measures – When IoT devices are used in a corporate or production environment there are several ways to strengthen the security. These include penetration testing, proactive network management and analysis methods.