Hajime

Hajime, an IoT malware strain discovered last October, appears to be the work of a vigilante who has set out to take over and neutralize as many smart devices as possible before other botnets like Mirai can get ahold of them.

While Hajime was first observed last year, it only recently became apparent to researchers that the author of this malware had no intention of using infected devices for evil.

When it was discovered last October, Hajime only came with a self-replication module that allowed it to spread from IoT device to IoT device via open and unsecured Telnet ports.

At the time, researchers didn't spot a DDoS module but that wasn't something noteworthy, as they just discovered this new threat, and to all intent and purpose, they considered Hajime an in-dev malware, one that could add DDoS capabilities once it matures.

Hajime matures but never adds a DDoS module

That maturation didn't take place, or at least not in the way researchers expected.

The initial Rapidity Networks report that unveiled Hajime's presence to the world also detailed some bugs. According to Symantec researcher Waylon Grange, Hajime's author appears to have read the report and fixed those bugs, but that was it.

The malware's author didn't add a DDoS feature, didn't use his botnet to relay malicious traffic, or any other intrusive operation.

For the past six months, Hajime has been using its self-replication module to fight with Mirai and other IoT botnet for control over IoT devices.

Hajime used to secure IoT devices

According to Grange, once Hajime infects a device it blocks access to ports 23, 7547, 5555, and 5358, which are all ports that have been exploited in the past by IoT malware.

After that, Hajime also contacts its command and control server and returns a cryptographically-signed message every ten minutes. The message, which is displayed on the device's terminal, reads as follows:

Just a white hat, securing some systems.
Important messages will be signed like this!
Hajime Author.
Contact CLOSED
Stay sharp!

Hajime continues where Wifatch left off

This isn't the first message or behavior of this type we've seen in the past years. In late 2015, Symantec researchers also discovered Wifatch, another malware targeting Linux-based IoT devices, that similarly took over smart devices, closed their ports, changed default passwords, and left warning messages in the device's console.

Wifatch, just like Hajime, was also the work of another vigilante, a team of mysterious security researchers going by the name of The White Team.

Just like Hajime is currently wrestling with Mirai for control over unsecured IoT devices, back in 2015, Wifatch played a major factor in crippling the botnet managed by the infamous Lizard Squad by taking over many of the devices the group was using to launch DDoS attacks.

Hajime's protective actions aren't permanent

Hajime will do many of us a huge favor if it manages to restrict the reach of Mirai botnets, which have been behind the most devastating DDoS attacks known to date.

Unfortunately, Hajime's actions aren't permanent, because just as Mirai, the worm and its actions are removed from infected hosts when the owner reboots his device. This is why Hajime and Mirai are entangled in an infinite loop for control over these devices.

One day Mirai may be using your DVR to launch DDoS attacks against a gaming company, while the next day Hajime will be closing the DVR's ports. As the device is rebooted, the cycle repeats in an endless loop, depending on what malware strain first reaches the device.

Hajime was specifically created to protect against Mirai

All clues point to the conclusion that Hajime was created to directly attack Mirai, and reduce the number of devices Mirai can infect.

First, Hajime appeared two-three weeks after Mirai carried out its biggest attacks, against OVH, Dyn, and KrebsOnSecurity, most likely as a response after Mirai's author released the malware's source code and made it available to anyone.

Second, Hajime includes the same usernames and password combinations used by Mirai, which shows a clear intention to target the same device-base Mirai is after.

Hajime has made a difference

According to Grange, this tactic appears to have been a success as Hajime spread quickly across the globe, already taking over and neutralizing a large number of devices in countries such as Brazil, Iran, and Russia.

Putting Hajime's actions together with the takedowns of several Mirai C&C servers, both appear to have put a dent in Mirai's reach, with the number of Mirai bots steadily declining since the start of the year.

Furthermore, Hajime also got a helping hand from another malware strain called BrickerBot, which also appears to be the work of another Internet vigilante. The downside is that BrickerBot doesn't bother securing open ports, but rather deletes everything on the device's storage, including firmware, effectively bricking IoT devices, sometimes to the point where they're rendered useless and need to be replaced.

In an era where IoT vendors don't seem to bother with creating secure devices, vigilante malware such as Wifatch, Hajime, and BrickerBot is about to become more widespread.