‘Hajime malware is an attempt to prevent Mirai botnet expansion’

Security firm Symantec has published an analysis of the Hajime malware, which targets insecure IoT devices. This shows that it is not a malicious variant like Mirai, but that Hajime seems to be intended to prevent the spread of Mirai.

The Hajime malware was discovered in October 2016 by the security company Rapidity. This happened shortly after the source code of the Mirai malware appeared online, which led to the emergence of several variants. At the time, the company wrote that Hajime’s target was “a mystery” because the variant did not contain a module to perform malicious actions, such as a DDO attack. Symantec writes that this is still the case, but that the software also displays a message in the terminal of an infected system.

It contains the text ‘just a white hat, securing some systems’, giving the impression that it is an ‘ethical’ hacker who is not out to cause damage. The communication is provided with a digital signature, which, according to Symantec, makes it plausible that it actually comes from the author of Hajime. However, the apparently ‘benign’ malware can still be provided with ddos ​​options afterwards, making it difficult to estimate whether the author actually has good intentions.

However, there is additional evidence to support this theory. For example, the Symantec researcher writes that Hajime makes infected devices more secure by closing ports numbered 23, 7547, 5555, and 5358. These are partly used for the distribution of Mirai malware. The malware does not modify the firmware, so the modified settings are undone after a reboot and the device becomes a target for iot malware again.

There are differences and similarities between Hajime and Mirai. For example, Hajime spreads through insecure devices with an open Telnet port and standard accounts. The malware uses the same username and password combinations as Mirai, in addition to two other combinations. The difference is that Hajime uses a decentralized network, while Mirai connects to a single c2 server. In addition, the malware tries to remain hidden.

According to Symantec, Hajime has spread rapidly in recent months. The malware is said to have infected ‘tens of thousands’ of devices, especially in Brazil and Iran. Hajime isn’t the first malware variant that appears to serve a “benign” purpose. For example, in October researcher Jerry Gamblin developed a worm that changed Telnet credentials of vulnerable IoT devices. However, after criticism, he ended his project. Spreading a worm puts devices at risk, as well as being unethical and sometimes illegal, critics say. A similar variant is BrickerBot, which recently surfaced. This malware renders vulnerable IoT devices virtually useless.

The Mirai malware and its variants are used to create botnets from various IoT devices. This often concerns IP cameras and digital video recorders. Together, these devices are capable of performing powerful ddos ​​attacks, such as on dns provider Dyn. It was expected that there would be more major DDOs this year, but so far this has not happened. The word “mirai” means “future” in Japanese; ‘hajime’ means ‘beginning’.