Security experts say a white hat hacker is responsible for the Hajime IoT botnet, which is on a mission to secure IoT devices vulnerable to the notorious Mirai malware. Divergent goals between Mirai and Hajime, experts say, will spark a perpetual back-and-forth between Mirai black hats and a lone Hajime white hat racing to reach millions of routers, DVRs and internet-connected cameras.
“No one knows for sure who created Hajime. The only thing we know for sure is that it’s a vigilante white hat hacker who created this to counter any future attacks from Mirai and similar attacks,” said Mandeep Khera, CMO of security firm Arxan.
Hajime is a Mirai-like malware, first discovered in October by Rapidity Networks, that has been spreading during the past several months infecting unsecure IoT devices that have open Telnet ports and use default passwords. However, while Hajime and Mirai’s modus operandi to self-propagate and infect is similar, their goals appears to be the opposite.
Unlike Mirai, which was used to carry out a series high-bandwidth DDoS attacks, Hajime has no malicious functionality. In fact, researchers believe it only exists to self-propagate and close off vulnerable Telnet ports used by Mirai for attacks.
Recent estimates by researchers suggest that Hajime malware has infected 10,000 home routers, internet-connected cameras, and a cadre of other IoT devices. Earlier estimates by Rapidity Networks said the malware co-opted between 130,000 and 185,000 devices.
While similar, Hajime stands out from Mirai. For example, Hajime uses a peer-to-peer architecture instead of command and control server to send commands to bots. “Instead (Hajime) communicates over a distributed and decentralized overlay network to receive configuration and software updates,” according to a Rapidity Networks analysis of the malware (PDF).
Hajime was not designed for DDoS attacks nor does it have the capability, say researchers.
Travis Smith, senior security research engineer at Tripwire, also believes a white hat hacker is behind the malware. The biggest clue for him is that Hajime triggers the command and control system to send a message to the device’s terminal every 10 minutes that states: “Just a white hat, securing some systems. Important messages will be signed like this! Hajime Author. Contact CLOSED Stay sharp!”
However, Hajime’s efforts to harden IoT device’s is short-lived. As with Mirai, when an IoT device is rebooted the Hajime malware vanishes, reopening its vulnerable ports and leaving the device open to another Mirai attack.
That has led some researchers to forecast an ongoing tug-of-war between Hajime and Mirai, with both battling the other in perpetuity to re-infect millions IoT devices.
“They are both competing for the same resources, so it’s a constant battle of good versus evil in the IoT landscape at the moment,” Smith said.
Hajime is not the first example of so-called vigilante malware. In 2015, researchers came across Wifatch malware. Wifatch also targeted IoT devices and closed ports, changed default passwords and left behind warning messages.
“There have been quite a few examples of vigilante malware over the history of the internet. The danger with any of these, including Hajime, is that there may be collateral damage to the devices,” Smith said. “One mistake in the exploit, or shutting down a port that’s being used by the device, can render the device unusable to the actual owner. What happens if the malware infects critical infrastructure by accident and takes the device offline? Even the best intentions can have negative consequences.”