Based by itself honeypot community knowledge, Rapidity Networks in October extrapolated that Hajime on the time was seemingly executing 260-370 billion contaminated makes an attempt per day and had already efficiently compromised someplace between 130,000 and 185,000 gadgets.
Unlike Mirai, which has been used to mine bitcoins and launch high-bandwidth distributed denial of service assaults, Hajime seems to haven’t any malicious performance. Rather, it’s constructed primarily to propagate itself, whereas additionally defending contaminated machines towards Mirai-type assaults by closing off their open, weak Telnet ports.
Hajime additionally shows a message on affected terminals roughly each 10 minutes, which reads: “Just a white hat, securing some systems. Important messages will be signed like this! Hajime Author. Contact CLOSED Stay sharp!” Such habits, Symantec famous, means that Hajime would be the work of a white-hat hacker, maybe trying to suppress Mirai’s malicious handiwork. (In mild of those revelations, SC Media has reached out to Rapidity Network for its personal newest evaluation on the malware.)
Although Hajime seems innocuous, and perhaps even benevolent in nature, it isn’t with out its considerations. Waylon Grange, senior malware researcher at Symantec (and writer of his firm’s Hajime weblog publish) acknowledged in an interview with SC Media that there’s presently “no hard evidence that Hajime is actually affecting Mirai” by way of its dimension and scope.
Moreover, rebooting a tool contaminated by Hajime would reopen its weak ports once more, leaving it inclined as soon as once more to Mirai. “And so, we’re left with embedded gadgets caught in a form of Groundhog Day time loop situation,” Grange wrote within the weblog publish. “One day a device may belong to the Mirai botnet, after the next reboot it could belong to Hajime, then the next any of the many other IoT malware/worms that are out there scanning for devices with hardcoded passwords. This cycle will continue with each reboot until the device is updated with a newer, more secure firmware.”
And lastly, Grange warned malware writer’s intentions can all the time change as long as he has backdoor management of a tool or machine.
Rapidity Network gave Hajime its title as a result of it’s the Japanese phrase for “beginning,” whereas Mirai is translated as “future.” Both malware packages scan the Internet for IoT gadgets with open ports and weak default passwords, however past this their variations change into obvious.
For occasion, Hajime propagates itself through a decentralized peer-to-peer community fairly than a extra conventional command-and-control mannequin like its predecessor Mirai. “Hajime’s… network is designed after some common peer-to-peer networks like those used by Bittorrent,” Grange instructed SC Media. “This provides a large amount of redundancy,” making takedowns harder to execute.
“In a typical botnet takedown, the idea is to take out the command-and-control server. Without it, the botnet won’t know where to get commands from,” Grange continued. “In a peer-to-peer network all the peers get their information from connecting to each other, [so] there is no central place to hit to bring it down. The controller simply selects from random one node, passes it the message… and tells it to spread the word.”
In his weblog publish, Grange additionally famous that Hajime is stealthier than Mirai as a result of it takes measures to idea its processes and conceal its recordsdata.
Furthermore, Hajime’s writer “can open a shell script to any infected machine in the network at any time, and the code is modular, so new capabilities can be added on the fl,” Grance wrote.” It is apparent from the code that a fair amount of development time went into designing this worm.”
Grange instructed SC Media that Hajime and Mirai infect lots of the identical sorts of IoT gadgets, with a number of notable exceptions. “Mirai targets some processor types that Hajime doesn’t — namely ppc, sh4, sparc, and x86 processors. It’s unclear why Hajime doesn’t target those devices,” mentioned Grange. “[An] earlier version of Hajime did have a x64 build but that seems to have fallen off in the most recent version of the malware.”