White Hat Worm Takes on IoT Botnet

A white hat hacker has created a botnet Internet of Things (IoT) that fights the dreaded and powerful Mirai botnet (also known as Mirai Worm). The hacktivist is known simply as “author of Hajime”, ie how he signs the messages provided by the command and control server (C & C) that handles the virtuous botnet.

The true identity of the pirate is unknown. However, Hajime was the name given to the worm by security researchers who discovered it – as opposed to the pirate (who apparently took the envy of the name).
The IOT problem

IoT products are immensely popular, with more than 6.4 billion traffic depending on Gartner in 2015. Many people do not update the default passwords with which these products are delivered. Worse, some products have been manufactured without having to update the passwords.

Mirai (also known as Linux.Gafgyt) is a type of malware designed to take advantage of this vulnerability in IoT devices. It exploits the power of unsecured IoT products around the world and uses this power to launch Distributed Denial of Service (DDoS) attacks.

Mirai in the Wild

When Mirai hit the web last August, the world managed to breathe while massive DDoS attacks from unprecedented levels began to hit companies. In October 2016, the French host OVH was hit with a bigger attack than ever before. The previous week, Brian Krebs’ website was hit with a massive 620 Gbps DDoS attack, which forced Google to step in and help the well-known security expert.

It did not end there – a few weeks later, a DDoS attack against Dyn disrupted the Internet on the largest scale ever known. Dyn controls much of the Internet Domain Name System (DNS) infrastructure. When anyone who controlled Mirai hit the company with a DDoS attack, it deleted several important sites (including Twitter, Guardian, Netflix, Reddit, CNN, Pinterest, GitHub, PayPal, Spotify and Amazon) for several hours.

It is estimated that there are approximately one billion (one in six) of unsecured IoT products in the world. Every time someone buys an IoT product and does not secure it with a strong password, it can become a cell in the attack infrastructure of the botnet.
How does it spread?

IoT products use a Linux-based parameter called Transmission Control Protocol (TCP). Botnets like Mirai use this protocol to transmit messages to spread the software from one device to another. During DDoS attacks, forwarding of messages also hides the origin of the assault.

The Dyn attack was unprecedented, with company estimates that the DDoS attack came from “100,000 malicious endpoints”. The attack also proved that, over time, we are increasingly likely to see massive web outages. Step to Hajime …

Hajime discovery

When the Hajime worm was discovered for the first time last October, it was believed that it was another IoT botnet (like Mirai) still under development. At that time, Hajime was only a self-replication module, allowing it to propagate from one IoT device to another via open and insecure Telnet ports.

The malicious software was spreading and infecting the IoT products, but for the moment it was useless – it was not used for anything bad. This has led the security community to speculate that Hajime might be the one to be monitored in the future. In any case, Hajime was infecting the aircraft and the security experts silently worried about the type of payload that could eventually be delivered to it.


Legitimate Concerns

Many people have speculated that, due to IoT botnets like Mirai (and Hajime, who slipped into the shadows), 2017 could be the first time that longer power outages on the Internet have been experienced. This fear is still legitimate, as a new Mirai worm came out in the wild which launched 54-hour attacks.

Dima Berkerman, a security researcher at Imperva, says that the new Mirai variant follows exactly the same pattern as the original infectious devices and spreads by continuously analyzing the Internet for non-secure devices. Imperva researchers believe that the recent attack against an unnamed American college has enabled about 9,793 CCTV cameras, DVR’s and routers.

During the recent DDoS attack, the most recent form of the worm delivered a continuous flow of about 30,000 requests per second to its victim nonstop for 54 hours. “This is the most we’ve seen of a botnet Mirai,” Berkerman said.

Hajime vs Mirai

The good news is that it has now become clear that Hajime is actually an attempt to be vigilant to curb the growing problem. Hajime is the work of a white-man hacker who tries to thwart cybercriminals’ chances of extending malicious botnines of the Mirai type.

It does this by controlling the IoT devices and rendering them incapable before being added to the much more dangerous worm variant. A report by Rapidity Networks explains that Hajime (like Mirai) scans the Internet for non-secure devices using several predefined references:

“After each pair of credentials, Hajime waits for a response from the target device.” If the credentials are rejected, Hajime closes the current connection, reconnects, and tries the next pair. (Ie, their lists of coded credentials are similar), they differ in their connection behavior: Hajime successively follows its list of credentials, While Mirai performs connection attempts in a weighted random order.
Advanced Worm

Waylon Grange, senior researcher at Symantec, even goes so far as to claim that Hajime is actually “more cautious and more advanced” than his malicious counterpart:

“Once on an infected device, it takes several steps to hide its current processes and hide its files on the file system.

“The author can open a shell script to any infected machine in the network at any time, and the code is modular, so new features can be added on the fly. Part of the development time was devoted to the design of this worm.

In addition, Grange explains that Hajime uses exactly the same combinations of username and password that Mirai is programmed to use, plus two more. According to the Symantec report, botnet has spread widely in recent months. This is great news, because it means that the infected devices can no longer be victims of Mirai.


White Hat Messages

Grange’s blog explains that once Hajime has infected a device, it instantly blocks access to ports 23, 7547, 5555, and 5358. All ports have been exploited in the past by malicious software Mirai.

Then, Hajime contacts a C & C server and returns a cryptographically signed message every ten minutes. This message seems to confirm that anyone who designed Hajime has no harmful future plans for the botnet:

What is interesting is that there is not a single C & C server. Instead, “the controller pushes the control modules to the even network and the message propagates to all peers at “This is generally considered a more robust design because it makes constraints more difficult.” Overall, the Symantec researcher welcomes the creator of the worm to block these ports, as this increases the security of the peripherals Infected.

Nothing to worry about?

For now, Hajime seems to be a fairy tale. However, the reality is that, despite the apparent motives of the author Hajime, it is possible that it is a con. No one knows who really is the author of Hajime and, over the past few months, the botnet has spread massively. The modest estimates say that Hajime is on tens of thousands of devices.

Due to the furtive nature of Hajime, it is likely to spread much more over time. In addition, anyone who designed Hajime is known to have left him a backdoor. This means that if Hajime’s motives change abruptly, this could be used to carry out massive and devastating attacks. Only time will tell if this success story about a private pirate gun alert is proving to be a much smarter and dangerous infection vector.

After all, what better way to infect a lot of machines than pretend you are doing it for good? We can only hope that Hajime is indeed the brain of a white hat hacker and, for now, we send the author of Hajime a big boost.

It should be remembered that Mirai and Hajime infections are only temporary. Once an infected device is restarted, “it returns to its insecure state, includes default passwords and a Telnet open to the world.” Grange explains that this leaves peripherals in a perpetual state “Groundhog Day”:

“One day a device may belong to the Mirai botnet, after the next reboot, it may belong to Hajime and then to one of the many other IoT malware / software that fails on devices with encrypted passwords. Cycle will continue with each reboot until the device is updated with a newer and more secure firmware. “

Be the first to comment

Leave a Reply

Your email address will not be published.