The ever-growing Hajime botnet is starting to worry security researchers as the botnet has reached a massive size, estimated at 300,000 infected devices.

While Hajime was never used to perform any malicious action, such as DDoS attacks, researchers fear a rogue actor may be able to take over the botnet's operations from its original author.

Hajime appeared as a direct competitor for Mirai

The Hajime botnet was first spotted online last fall by security researches from Rapidity Networks. Researchers named this new IoT malware Hajime, the Japanese word for "beginning," because the malware specifically tried to compromise the same devices infected by Mirai, which is the Japanese word for "future."

The connection to Mirai is important, because Hajime appeared right in the middle of several DDoS attacks performed by Mirai, a fellow IoT malware also used to create huge botnets.

Because of Mirai's intense activity at the time, Hajime went unnoticed by most security firms, who were pretty busy following and investigating the Mirai DDoS attacks taking place at the time.

Hajime evolves into highly sophisticated botnet

It was only after Symantec published a report last week that the infosec community's focus shifted back to Hajime, who in the meantime had grown into the most sophisticated IoT malware on the Internet.

Following Symantec's report, other security firms such as Kaspersky Labs and Radware also published reports on Hajime this week.

Their reports have the same conclusion. Hajime is incredibly sophisticated, like nothing they've seen before, but its currently harmless.

Here are the basic things you need to know regarding Hajime's current mode of operation:

⍈ The malware targets Linux-based devices running on the arm5, arm6, arm7, mipseb and mipsel platforms
⍈ Most of the infected devices are DVRs, security cameras, and home routers
⍈ Hajime spreads to devices in three ways: (1) by brute-forcing Telnet accounts with weak credentials; (2) by exploiting a flaw in the TR-064 protocol used by ISPs to remotely manage routers; and (3) by the Arris cable modem password of the day attack.
⍈ Hajime uses the exact same username and password combinations that Mirai is programmed to use, plus two more
⍈ Hajime has gone through six updates since the start of 2017, meaning its author is still developing it
⍈ The Hajime operator controls his botnet via the P2P protocol
⍈ All Hajime bot communications are encrypted
⍈ The Hajime malware binary has a modular architecture and can download other modules for extra functionality
⍈ Most of these modules and binaries are stored on other infected bots, and not downloaded from a central server
⍈ Security researchers have spotted only self-replication modules, but no modules for DDoS attacks or traffic proxying
⍈ Custom modules can be written in any language, as long as they can be compiled to a binary for one of the supported platforms
⍈ Hajime doesn't feature any persistence code and the malware can be removed by booting the device
⍈ The first Hajime report from Rapidity Networks identified a bug in the communications protocol, which the author promptly fixed
⍈ The malware's author did not refer to his malware as Hajime, but started calling it so after the original Rapidity Networks report
⍈ Every time an infected bot contacts a C&C server for an updated configuration, the malware displays the following message on the device's console

Hajime console message

Based on these console messages, in its report released last week, Symantec speculated that the author of the Hajime botnet is an Internet vigilante who has no bad intentions.

Is the Hajime author really a vigilante?

Speaking to Bleeping Computer in an email exchange, Pascal Geenens, Cyber Security Evangelist for Radware and one of the researchers who analyzed Hajime didn't fully agree with Symantec's classification.

"Just a white hat! Hmm… then why does Hajime stay resident and keeps growing its network? Why is the forked process called ‘atk’ for attack and not scan or discover," Geenens asked rethorically.

"And it scans very aggressively for vulnerable telnet and WSDAPI devices. It does close the ports for the Mirai exploit vectors but opens ports for itself…  I’m not so sure about the white hat thing," he added.

"For now, however, Hajime is still under control of its original author (or so I hope) and mostly we are considering his intentions to be good," Geenens wrote yesterday in a blog post. "Still, I wonder why this white knight keeps growing his botnet and keeps the devices hostage."

"If his intentions are good, why not just leave the CWMP rules and improve on them? If the ISP did not apply adequate security, why not make the iptables rules persistent, or keep them volatile but release the device, and don’t keep it indefinitely hostage until it is rebooted?," Geenens also pondered.

His thoughts and worries were also echoed by researchers from Kaspersky Labs. "Whether the author’s [console] message is true or not remains to be seen," they said. "Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force and to update the firmware if possible."

Researchers fear the worst if someone else hijacks Hajime

Right now, Hajime isn't classified as a threat, but its sheer size of 300,000 bots, according to a Kaspersky estimate, worries researchers, and Geenens in particular.

"[F]ocus on the potential purpose of such large IoT botnets, consider for a moment that this botnet could be hijacked from its original owner," the Radware expert said, referring to the communications encryption flaw discovered last fall.

Geenens argues that if a black hat hacker would find a similar flaw today, he could exploit it to break the encrypted C&C server comms, and hijack the botnet right from under the Hajime author's nose.

Because of Hajime's modular structure, even if there's no malicious modules present, an attacker could easily create and deploy them himself. Potential uses for such a botnet range from mundane DDoS attacks to mass surveillance by tapping into the video feeds and Internet traffic flowing through the Hajime infected devices.

Researchers are worried because of the botnet's sophistication and usage of a peer-to-peer structure—known to be takedown resilient—authorities and security firms would have even a harder time taking it down compared to Mirai variants.

In the past, when authorities tried to sinkhole botnets belonging to desktop malware that used P2P structures, such as Kelihos and Ramnit, they failed every time.

For all intent and purposes, right now, you wouldn't be wrong calling Hajime the work of an Internet vigilante, as the botnet has chewed away at many IoT botnets used for malicious purposes, trapping unsecured devices in its network, where they're currently dormant. So for the time being, here's a "Thank you Hajime author!" from the rest of us.

Related Articles:

Prowli Malware Operation Infected Over 40,000 Servers, Modems, and IoT Devices

58% of Botnet Malware Infections Last Under a Day

Botnet Party on GPON Routers

"Hide and Seek" Becomes First IoT Botnet Capable of Surviving Device Reboots

Hajime Botnet Makes a Comeback With Massive Scan for MikroTik Routers