Mirai-Busting Hajime Worm Could be Work of White Hat

Security researchers are claiming a new Mirai-like worm designed to take remote control of unsecured IoT devices could be a white hat trying to thwart the work of malicious hackers.

The so-called Hajime worm was first discovered back in October 2016, but has been spreading quickly over the past few months, according to Symantec’s Waylon Grange.

There are several similarities with the notorious Mirai malware: it spreads via unsecured devices that have open Telnet ports and use default passwords, and uses the same log-in combinations as Mirai plus two more.

However, Hajime appears to be stealthier and more resilient than its rival.

It’s apparently built on a P2P network rather than using hardcoded addresses for a single command and control (C&C) server, making it more difficult to disrupt.

Plus, its code is modular, meaning new capabilities can be added over time, and once on a target system it will work to hide its processes and files. 

So far Brazil (19%), Iran (17%), Thailand (11%) and Russia (11%) top the list of affected countries, with infections running into the tens of thousands, Symantec estimated.

As to the identity of the developer, there are several reasons why it may be a white hat.

First, once installed, the malware blocks access to ports 3, 7547, 5555, and 5358: all of which host services that can be exploited by malware including Mirai.

Second, there are currently no DDoS or other attack capabilities present aside from propagation, and third, infected devices display a cryptographically signed message from the author describing themselves as: “Just a white hat, securing some systems.”

However, Grange cautioned that such attempts to improve security are often short-lived, because the changes they effect are made only in temporary RAM.

"Once the device is rebooted it goes back to its unsecured state, complete with default passwords and a Telnet open to the world. To have a lasting effect, the firmware would need to be updated. It is extremely difficult to update the firmware on a large scale because the process is unique to each device and in some cases is not possible without physical access,” he explained.

“And so, we are left with embedded devices stuck in a sort of Groundhog Day time loop scenario. One day a device may belong to the Mirai botnet, after the next reboot it could belong to Hajime, then the next any of the many other IoT malware/worms that are out there scanning for devices with hardcoded passwords. This cycle will continue with each reboot until the device is updated with a newer, more secure firmware.”

What’s Hot on Infosecurity Magazine?