IoT malware clashes in a botnet territory battle

The Hajime malware is competing with the Mirai malware to enslave some IoT devices

Mirai -- a notorious malware that's been enslaving IoT devices -- has competition.

A rival piece of programming has been infecting some of the same easy-to-hack internet-of-things products, with a resiliency that surpasses Mirai, according to security researchers.

"You can almost call it Mirai on steroids," said Marshal Webb, CTO at BackConnect, a provider of services to protect against distributed denial-of-service (DDoS) attacks.

Security researchers have dubbed the rival IoT malware Hajime, and since it was discovered more than six months ago, it's been spreading unabated and creating a botnet. Webb estimates it's infected about 100,000 devices across the globe.    

These botnets, or networks of enslaved computers, can be problematic. They're often used to launch massive DDoS attacks that can take down websites or even disrupt the internet’s infrastructure.

That’s how the Mirai malware grabbed headlines last October. A DDoS attack from a Mirai-created botnet targeted DNS provider Dyn, which shut down and slowed internet traffic across the U.S.

Hajime was first discovered in the same month, when security researchers at Rapidity Networks were on the lookout for Mirai activity. What they found instead was something similar, but also more tenacious.

Like Mirai, Hajime also scans the internet for poorly secured IoT devices like cameras, DVRs, and routers. It compromises them by trying different username and password combinations and then transferring a malicious program.

However, Hajime doesn’t take orders from a command-and-control server like Mirai-infected devices do. Instead, it communicates over a peer-to-peer network built off protocols used in BitTorrent, resulting in a botnet that's more decentralized -- and harder to stop.

"Hajime is much, much more advanced than Mirai," Webb said. "It has a more effective way to do command and control."

Broadband providers have been chipping away at Mirai-created botnets, by blocking internet traffic to the command servers they communicate with. In the meantime, Hajime has continued to grow 24/7, enslaving some of the same devices. Its peer-to-peer nature means many of the infected devices can relay files or instructions to rest of the botnet, making it more resilient against any blocking efforts.

screen shot 2017 04 17 at 11.19.12 am Vesselin Bontchev

Hajime infection attempts (blue) vs Mirai infection attempts (red), according to a honeypot from security researcher Vesselin Bontchev.

Who's behind Hajime? Security researchers aren’t sure. Strangely, they haven't observed the Hajime botnet launching any DDoS attacks -- which is good news.  A botnet of Hajime’s scope is probably capable of launching a massive one similar to what Mirai has done.

"There’s been no attribution. Nobody has claimed it," said Pascal Geenens, a security researcher at security vendor Radware.  

However, Hajime does continue to search the internet for vulnerable devices. Geenens' own honeypot, a system that tracks botnet activity, has been inundated with infection attempts from Hajime-controlled devices, he said.

So the ultimate purpose of this botnet remains unknown. But one scenario is it'll be used for cybercrime to launch DDoS attacks for extortion purposes or to engage in financial fraud.  

"It's a big threat forming," Geenens said. "At some point, it can be used for something dangerous."

It’s also possible Hajime might be a research project. Or in a possible twist, maybe it's a vigilante security expert out to disrupt Mirai.

So far, Hajime appears to be more widespread than Mirai, said Vesselin Bontchev, a security expert at Bulgaria's National Laboratory of Computer Virology.

However, there's another key difference between the two malware. Hajime has been found infecting a smaller pool of IoT devices using ARM chip architecture.

That contrasts from Mirai, which saw its source code publicly released in late September. Since then, copycat hackers have taken the code and upgraded the malware. Vesselin has found Mirai strains infecting IoT products that use ARM, MIPS, x86, and six other platforms.

That means the clash between the two malware doesn’t completely overlap. Nevertheless, Hajime has stifled some of Mirai’s expansion.

"There's definitely an ongoing territorial conflict," said Allison Nixon, director of security research at Flashpoint.

To stop the malware, security researchers say it's best to tackle the problem at its root, by patching the vulnerable IoT devices. But that will take time and, in other cases, it might not even be possible. Some IoT vendors have released security patches for their products to prevent malware infections, but many others have not, Nixon said.

That means Hajime and Mirai will probably stick around for a long time, unless those devices are retired.

"It will keep going," Nixon said. "Even if there's a power outage, [the malware] will just be back and re-infect the devices. It's never going to stop."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?