The ever-growing Hajime botnet is starting to worry security researchers as the botnet has reached a massive size, estimated at 300,000 infected devices.
While Hajime was never used to perform any malicious action, such as DDoS attacks, researchers fear a rogue actor may be able to take over the botnet's operations from its original author.
The Hajime botnet was first spotted online last fall by security researches from Rapidity Networks. Researchers named this new IoT malware Hajime, the Japanese word for "beginning," because the malware specifically tried to compromise the same devices infected by Mirai, which is the Japanese word for "future."
The connection to Mirai is important, because Hajime appeared right in the middle of several DDoS attacks performed by Mirai, a fellow IoT malware also used to create huge botnets.
Because of Mirai's intense activity at the time, Hajime went unnoticed by most security firms, who were pretty busy following and investigating the Mirai DDoS attacks taking place at the time.
It was only after Symantec published a report last week that the infosec community's focus shifted back to Hajime, who in the meantime had grown into the most sophisticated IoT malware on the Internet.
Their reports have the same conclusion. Hajime is incredibly sophisticated, like nothing they've seen before, but its currently harmless.
Here are the basic things you need to know regarding Hajime's current mode of operation:
Based on these console messages, in its report released last week, Symantec speculated that the author of the Hajime botnet is an Internet vigilante who has no bad intentions.
Speaking to Bleeping Computer in an email exchange, Pascal Geenens, Cyber Security Evangelist for Radware and one of the researchers who analyzed Hajime didn't fully agree with Symantec's classification.
"Just a white hat! Hmm… then why does Hajime stay resident and keeps growing its network? Why is the forked process called ‘atk’ for attack and not scan or discover," Geenens asked rethorically.
"And it scans very aggressively for vulnerable telnet and WSDAPI devices. It does close the ports for the Mirai exploit vectors but opens ports for itself… I’m not so sure about the white hat thing," he added.
"For now, however, Hajime is still under control of its original author (or so I hope) and mostly we are considering his intentions to be good," Geenens wrote yesterday in a blog post. "Still, I wonder why this white knight keeps growing his botnet and keeps the devices hostage."
"If his intentions are good, why not just leave the CWMP rules and improve on them? If the ISP did not apply adequate security, why not make the iptables rules persistent, or keep them volatile but release the device, and don’t keep it indefinitely hostage until it is rebooted?," Geenens also pondered.
His thoughts and worries were also echoed by researchers from Kaspersky Labs. "Whether the author’s [console] message is true or not remains to be seen," they said. "Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force and to update the firmware if possible."
Right now, Hajime isn't classified as a threat, but its sheer size of 300,000 bots, according to a Kaspersky estimate, worries researchers, and Geenens in particular.
"[F]ocus on the potential purpose of such large IoT botnets, consider for a moment that this botnet could be hijacked from its original owner," the Radware expert said, referring to the communications encryption flaw discovered last fall.
Geenens argues that if a black hat hacker would find a similar flaw today, he could exploit it to break the encrypted C&C server comms, and hijack the botnet right from under the Hajime author's nose.
Because of Hajime's modular structure, even if there's no malicious modules present, an attacker could easily create and deploy them himself. Potential uses for such a botnet range from mundane DDoS attacks to mass surveillance by tapping into the video feeds and Internet traffic flowing through the Hajime infected devices.
Researchers are worried because of the botnet's sophistication and usage of a peer-to-peer structure—known to be takedown resilient—authorities and security firms would have even a harder time taking it down compared to Mirai variants.
For all intent and purposes, right now, you wouldn't be wrong calling Hajime the work of an Internet vigilante, as the botnet has chewed away at many IoT botnets used for malicious purposes, trapping unsecured devices in its network, where they're currently dormant. So for the time being, here's a "Thank you Hajime author!" from the rest of us.