Rival IoT malware clash in a botnet territory battle

Mirai—a notorious malware that’s been enslaving IoT devices—has competition.

A rival piece of programming has been infecting some of the same easy-to-hack internet-of-things (IoT) products, with a resiliency that surpasses Mirai, according to security researchers.

“You can almost call it Mirai on steroids,” said Marshal Webb, CTO at BackConnect, a provider of services to protect against distributed denial-of-service (DDoS) attacks.

Security researchers have dubbed the rival IoT malware Hajime, and since it was discovered more than six months ago, it’s been spreading unabated and creating a botnet. Webb estimates it’s infected about 100,000 devices across the globe.    

These botnets, or networks of enslaved computers, can be problematic. They’re often used to launch massive DDoS attacks that can take down websites or even disrupt the internet’s infrastructure.

That’s how the Mirai malware grabbed headlines last October. A DDoS attack from a Mirai-created botnet targeted DNS provider Dyn, which shut down and slowed internet traffic across the U.S.

Hajime was first discovered in the same month, when security researchers at Rapidity Networks were on the lookout for Mirai activity. What they found instead was something similar, but also more tenacious.

Like Mirai, Hajime also scans the internet for poorly secured IoT devices like cameras, DVRs, and routers. It compromises them by trying different username and password combinations and then transferring a malicious program.

However, Hajime doesn’t take orders from a command-and-control server like Mirai-infected devices do. Instead, it communicates over a peer-to-peer network built off protocols used in BitTorrent, resulting in a botnet that’s more decentralized—and harder to stop.

“Hajime is much, much more advanced than Mirai,” Webb said. “It has a more effective way to do command and control.”

Broadband providers have been chipping away at Mirai-created botnets, by blocking internet traffic to the command servers they communicate with. In the meantime, Hajime has continued to grow 24/7, enslaving some of the same devices. Its peer-to-peer nature means many of the infected devices can relay files or instructions to the rest of the botnet, making it more resilient against any blocking efforts.

Vesselin Bontchev

Hajime infection attempts (blue) vs. Mirai infection attempts (red), according to a honeypot from security researcher Vesselin Bontchev.

Who’s behind Hajime? Security researchers aren’t sure. Strangely, they haven’t observed the Hajime botnet launching any DDoS attacks—which is good news.  A botnet of Hajime’s scope is probably capable of launching a massive one similar to what Mirai has done.

“There’s been no attribution. Nobody has claimed it,” said Pascal Geenens, a security researcher at security vendor Radware.  

However, Hajime does continue to search the internet for vulnerable devices. Geenens’ own honeypot, a system that tracks botnet activity, has been inundated with infection attempts from Hajime-controlled devices, he said.

So the ultimate purpose of this botnet remains unknown. But one scenario is it’ll be used for cybercrime to launch DDoS attacks for extortion purposes or to engage in financial fraud.  

“It’s a big threat forming,” Geenens said. “At some point, it can be used for something dangerous.”

It’s also possible Hajime might be a research project. Or, in a possible twist, maybe it’s a vigilante security expert out to disrupt Mirai.

So far, Hajime appears to be more widespread than Mirai, said Vesselin Bontchev, a security expert at Bulgaria’s National Laboratory of Computer Virology.

However, there’s another key difference between the two malware. Hajime has been found infecting a smaller pool of IoT devices using ARM chip architecture.

That contrasts from Mirai, which saw its source code publicly released in late September. Since then, copycat hackers have taken the code and upgraded the malware. Vesselin has found Mirai strains infecting IoT products that use ARM, MIPS, x86, and six other platforms.

That means the clash between the two malware doesn’t completely overlap. Nevertheless, Hajime has stifled some of Mirai’s expansion.

“There’s definitely an ongoing territorial conflict,” said Allison Nixon, director of security research at Flashpoint.

To stop the malware, security researchers say it’s best to tackle the problem at its root, by patching the vulnerable IoT devices. But that will take time and, in other cases, it might not even be possible. Some IoT vendors have released security patches for their products to prevent malware infections, but many others have not, Nixon said.

That means Hajime and Mirai will probably stick around for a long time, unless those devices are retired.

“It will keep going,” Nixon said. “Even if there’s a power outage, [the malware] will just be back and re-infect the devices. It’s never going to stop.”

Scroll to Top