The IoT malware that plays cat and mouse with Mirai

It was dubbed “Hajime” and from the start it seems to have had it in for the infamous Mirai Internet of Things (IoT) botnet used to launch last October’s stunning Terabit DDoS attack on DNS provider Dyn.

From the moment of its discovery by researchers Rapidity Networks in the weeks after Mirai’s attack, Hajime always stood out as the oddity in IoT malware mini-boom.

It seemed to have been created in Mirai’s image, scanning for the same set of IoT devices with unsecured Telnet ports, breaking into them by trying an almost identical set of password and username combinations before executing a similar sequence of commands.

Once in control of a target it blocks several ports used by rival IoT-ware, a perfect annoyance for Mirai. Lacking a module that could be used to launch DDoS (or any attack), its main behaviour is to contact its command-and-control (C2), which returns a signed message displayed on the device’s terminal every 10 minutes.

The most recent version reads:

Just a white hat securing some systems.

Important messages will be signed like this!

Hajime Author.

Contact CLOSED.

Stay sharp!

According to new estimates it has taken over at least “tens of thousands” of devices, especially in Brazil, Iran, Thailand, the Russian Federation and Turkey. One company, BackConnect, put the infection numbers at around 100,000, not insignificant for a botnet of this type.

Since their discovery last year Mirai has declined while Hajime has grown, in part, one might infer, to its predation of the former’s target list.

It’s not all plain sailing. Hajime eschews Mirai’s conventional C2 in favour of a novel decentralised peer-to-peer (P2P) approach based on popular torrent protocols. But, as with Mirai, Hajime is cleared from the infected device by a reboot, which requires it to infect the target anew each time.

Is Hajime good news, bad news or a bit of both?

Some might conclude that Hajime’s targeting of Mirai makes it a grey hat “vigilante”, that is an ethical project by unethical means. But there are unsettling details.

The botnet was given the name “Hajime” (“beginning” in Japanese, inspired by Mirai, which means “future”) by Rapidity’s researchers and yet the author refers to it in his/her terminal message. This shows that they’ve read the research paper. The researchers also mentioned bugs that ended up being fixed.

That feels less like a vigilantism than a grandiose game of cat and mouse. So far, Hajime has no payload, but that doesn’t mean it couldn’t acquire one. The result of a lot of effort, its threat is implied.

Debatably, there is no such thing as grey-hat hacking when conducted on this scale, on devices that have rightful owners. Granted, these are poorly configured devices, but infecting them with more advanced malware hardly seems like the answer to the problem of careless security.

The message for all owners of IoT devices is to secure your devices, and for vendors of those devices to pull their fingers out and update firmware. In the case of Mirai and Hajime, simply applying a decent password and username is an excellent start.

Most victims of Hajime probably don’t even know they have been infected. Pity poor IoT devices, turned on one day only to be ignored for the rest of their existence. Hajime – and Mirai et al – will likely be with us for years to come.