14 DAY TRIAL // In an odd turn of events, a vigilant hacker is apparently trying to make the IoT world a lot safer against malware. A developer has built a worm, known as Hajime, infecting tens of thousands of IoT products which seems to have a single purpose - prevent Mirai from taking over.
The Mirai is a notorious malware that has infected countless IoT devices, turning them into bots for various for-hire DDoS attacks and more. Since security around most smart gadgets is somewhere between "inexistent" and "a joke," Mirai has been extremely successful.
Well, folks over at Symantec have discovered that a new worm called Hajime has been infecting easy-to-hack products, such as DVRs, routers, and Internet cameras. Unlike other similar tools, however, it does not do anything malicious. Instead, the worm has been preventing Mirai from infecting those very same devices. The message written by the developer makes Hajime's purpose quite clear: "Just a white hat, securing some systems. Stay sharp!"
There you have it. A worm designed to add a much-needed security layer to the IoT universe while also fighting against Mirai.
Spotted in October, spreading fast
Hajime was first discovered by researchers in October of last year, spreading via unsecured devices that have open Telnet ports and use default passwords. This is pretty much the same technique Mirai uses to get into devices.
"Unlike Mirai, which uses hardcoded addresses for its command and control (C&C) server, Hajime is built on a peer-to-peer network. There isn’t a single C&C server address, instead the controller pushes command modules to the peer network and the message propagates to all the peers over time," Symantec's Waylon Grange writes.
It seems that Hajime is also a lot stealthier than Mirai. As soon as it infects a device, it takes multiple steps to conceal its running processes and hide files on the file system.
Symantec has tracked infections all over the world as Hajime has been spreading quickly. Researchers have some questions about whether the individual behind Hajime is really a White Hat simply trying to secure devices. "The modular design of Hajime also means if the author's intentions change they could potentially turn the infected devices into a massive botnet," researchers note.
Once on a device, Hajime truly works to secure it by blocking access to ports 23, 7547, 5555, and 5358, which are often exploited.
"The fact that IoT devices are susceptible to the likes of Mirai and now Hajime is worrisome enough. Regardless of its intent, IoT devices infected with Hajime could be weaponized at some point; since the IoT devices are under someone’s control. Whoever controls the communication infrastructure these IoT bots receive commands from, pretty much owns the keys to this kingdom," said Stephen Gates, chief research intelligence analyst for NSFOCUS.