Skip to content
Naked Security Naked Security

The IoT malware that plays cat and mouse with Mirai

A botnet dubbed Hajime uses much the same tactics as Mirai - but to neutralise the damage done. Is this a good thing, though?

It was dubbed “Hajime” and from the start it seems to have had it in for the infamous Mirai Internet of Things (IoT) botnet used to launch last October’s stunning Terabit DDoS attack on DNS provider Dyn.

From the moment of its discovery by researchers Rapidity Networks in the weeks after Mirai’s attack, Hajime always stood out as the oddity in IoT malware mini-boom.

It seemed to have been created in Mirai’s image, scanning for the same set of IoT devices with unsecured Telnet ports, breaking into them by trying an almost identical set of password and username combinations before executing a similar sequence of commands.

Once in control of a target it blocks several ports used by rival IoT-ware, a perfect annoyance for Mirai. Lacking a module that could be used to launch DDoS (or any attack), its main behaviour is to contact its command-and-control (C2), which returns a signed message displayed on the device’s terminal every 10 minutes.

The most recent version reads:

Just a white hat securing some systems.

Important messages will be signed like this!

Hajime Author.

Contact CLOSED.

Stay sharp!

According to new estimates it has taken over at least “tens of thousands” of devices, especially in Brazil, Iran, Thailand, the Russian Federation and Turkey. One company, BackConnect, put the infection numbers at around 100,000, not insignificant for a botnet of this type.

Since their discovery last year Mirai has declined while Hajime has grown, in part, one might infer, to its predation of the former’s target list.

It’s not all plain sailing. Hajime eschews Mirai’s conventional C2 in favour of a novel decentralised peer-to-peer (P2P) approach based on popular torrent protocols. But, as with Mirai, Hajime is cleared from the infected device by a reboot, which requires it to infect the target anew each time.

Is Hajime good news, bad news or a bit of both?

Some might conclude that Hajime’s targeting of Mirai makes it a grey hat “vigilante”, that is an ethical project by unethical means. But there are unsettling details.

The botnet was given the name “Hajime” (“beginning” in Japanese, inspired by Mirai, which means “future”) by Rapidity’s researchers and yet the author refers to it in his/her terminal message. This shows that they’ve read the research paper. The researchers also mentioned bugs that ended up being fixed.

That feels less like a vigilantism than a grandiose game of cat and mouse. So far, Hajime has no payload, but that doesn’t mean it couldn’t acquire one. The result of a lot of effort, its threat is implied.

Debatably, there is no such thing as grey-hat hacking when conducted on this scale, on devices that have rightful owners. Granted, these are poorly configured devices, but infecting them with more advanced malware hardly seems like the answer to the problem of careless security.

The message for all owners of IoT devices is to secure your devices, and for vendors of those devices to pull their fingers out and update firmware. In the case of Mirai and Hajime, simply applying a decent password and username is an excellent start.

Most victims of Hajime probably don’t even know they have been infected. Pity poor IoT devices, turned on one day only to be ignored for the rest of their existence. Hajime – and Mirai et al – will likely be with us for years to come.


9 Comments

If the devices are still functional, and the malware has no payload, I have to say, that’s a lot better than mirai for the rest of us. If it sticks that way, I feel like you’re being a bit up on your high horse about there being no such thing as grey hatting on this scale. If it makes the web more useable for the rest of us and has no downside except for those who failed to consider security when buying cheap disposable internet connected trash, that’s sounding exactly like a win to me. Maybe that makes me a sociopath or something, but there you have it.

It’s like having a permanent house guest you’ve never met before. Is it safe to assume they’ll behave themselves?

maybe, maybe not, but if the alternative is Mirai, Hajime is a clear winner. Yet to be seen is if the grey hat turns to the dark side and the botnet ends up in an auction.

A well behaved houseguest you never invited is better than a poorly-behaved houseguest you never invited.

I think the point is that doing the wrong thing for the right reason doesn’t justify it, but it’s only the wrong thing because the law says so. Maybe the laws around vigilantism and the internet need to change, or perhaps owners of insecure devices should be liable for the problems they create?

It seems like we have two choices: either create more regulation for the internet to control how it is used and therefore limit freedom, or deregulate it enough to allow individuals and companies to actively protect themselves from threats.

Good points. Perhaps what we need is a legally-acceptable method of implementing vigilantism. See my other post (which is below yours). Perhaps learning a lesson from how forums implemented moderation would help:
Early forums were controlled by an administrator (admin). Later, more admins were added when a forum got bigger. But, there’s a point where the admin/owner simply can’t do it any more. So, they implemented moderators (mods). Mods are trusted members who oversee individual posts, using certain rules. They’re the “vigilantes” in the current milieu. The government could be the “admin/owner”. Or, the vendor could allow some. (For the vendors who don’t care about security, it would fall back to the government to “own” this kind of thing.)
Wikipedia and other wikis also use this kind of methology.
Perhaps it’s time for something similar for IoTs?
???

You are absolutely correct that there are no grey-hat hackers in the IoT realm. They’re either white or black. And, in order to be white-hat, two things must be true:
First, they must have a contract with the owner of the system being hacked. Oops.
Second, they must be taking the moral high-ground.
Now, on the first, I can sort-of live with the malware/non-malware question, for the reasons given by other posters. But, ONLY if the second is true.
And, until we know exactly who they are, and what their reasons are for taking control, we can’t know that.
So, the bottom line is that, until they reveal themselves AND announce their intentions publicly, they’re all black-hat.

“Once in control of a target it several blocks ports used by rival IoT-ware, a perfect annoyance for Mirai.”

You probably want to swap the eighth and ninth words in the sentence above.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?