New player enters the IoT malware battlefield

Security researchers have dubbed the rival IoT malware Hajime, and since it was discovered more than six months ago, it’s been spreading unabated and creating a botnet. Webb estimates it’s infected about 100,000 devices across the globe.

These botnets, or networks of enslaved computers, can be problematic. They’re often used to launch massive DDoS attacks that can take down websites or even disrupt the internet’s infrastructure.

That’s how the Mirai malware grabbed headlines last October. A DDoS attack from a Mirai-created botnet targeted DNS provider Dyn, which shut down and slowed internet traffic across the US.

Hajime was first discovered in the same month, when security researchers at Rapidity Networks were on the lookout for Mirai activity. What they found instead was something similar, but also more tenacious.

Like Mirai, Hajime also scans the internet for poorly secured IoT devices like cameras, DVRs, and routers. It compromises them by trying different username and password combinations and then transferring a malicious programme.

However, Hajime doesn’t take orders from a command-and-control server like Mirai-infected devices do. Instead, it communicates over a peer-to-peer network built off protocols used in BitTorrent, resulting in a botnet that’s more decentralised - and harder to stop.

“Hajime is much, much more advanced than Mirai,” Webb said. “It has a more effective way to do command and control.”

Broadband providers have been chipping away at Mirai-created botnets, by blocking internet traffic to the command servers they communicate with. In the meantime, Hajime has continued to grow 24/7, enslaving some of the same devices. Its peer-to-peer nature means many of the infected devices can relay files or instructions to the rest of the botnet, making it more resilient against any blocking efforts.

Hajime infection attempts (blue) vs. Mirai infection attempts (red), according to a honeypot from security researcher Vesselin Bontchev

Who’s behind Hajime? Security researchers aren’t sure. Strangely, they haven’t observed the Hajime botnet launching any DDoS attacks - which is good news. A botnet of Hajime’s scope is probably capable of launching a massive one similar to what Mirai has done.

“There’s been no attribution. Nobody has claimed it,” said Pascal Geenens, a security researcher at security vendor Radware.

However, Hajime does continue to search the internet for vulnerable devices. Geenens’ own honeypot, a system that tracks botnet activity, has been inundated with infection attempts from Hajime-controlled devices, he said.

So the ultimate purpose of this botnet remains unknown. But one scenario is it’ll be used for cybercrime to launch DDoS attacks for extortion purposes or to engage in financial fraud.

“It’s a big threat forming,” Geenens said. “At some point, it can be used for something dangerous.”

It’s also possible Hajime might be a research project. Or, in a possible twist, maybe it’s a vigilante security expert out to disrupt Mirai.

So far, Hajime appears to be more widespread than Mirai, said Vesselin Bontchev, a security expert at Bulgaria’s National Laboratory of Computer Virology.

However, there’s another key difference between the two malware. Hajime has been found infecting a smaller pool of IoT devices using ARM chip architecture.

That contrasts from Mirai, which saw its source code publicly released in late September. Since then, copycat hackers have taken the code and upgraded the malware. Vesselin has found Mirai strains infecting IoT products that use ARM, MIPS, x86, and six other platforms.

That means the clash between the two malware doesn’t completely overlap. Nevertheless, Hajime has stifled some of Mirai’s expansion.

“There’s definitely an ongoing territorial conflict,” said Allison Nixon, Director of security research at Flashpoint.

To stop the malware, security researchers say it’s best to tackle the problem at its root, by patching the vulnerable IoT devices. But that will take time and, in other cases, it might not even be possible. Some IoT vendors have released security patches for their products to prevent malware infections, but many others have not, Nixon said.

That means Hajime and Mirai will probably stick around for a long time, unless those devices are retired.

“It will keep going,” Nixon said. “Even if there’s a power outage, [the malware] will just be back and re-infect the devices. It’s never going to stop.”

Comment
Itsik Mantin, Director of Security Research at Imperva: “This is another example for the Internet of Things being a Botnet of Things, with another malware that distributes like wildfire in the Internet, even if the number of infected devices is less than the claimed 100,000. What most disturbs me here is the fact that this trend is likely to stay with us for at least a couple of years. Existing botnets remain active until the devices are patched or retired, which in IoT devices can take years. Moreover, new connected devices are still being released to the field without adequate protection, providing easy prey for the next IoT worm.

The power of this number of bot soldiers can be used in many various ways. Are we expected to see from this botnet intensive DDoS attacks on victim web servers like Mirai, distributed brute force attempts on login pages, or scanning web sites for SQL injection vulnerabilities? With botnets becoming a commodity, and the botnet-for-hire market flourishing, my guess is that we will see some of all of the above.”