By Heather Hamilton, contributing writer
It’s likely that vigilante botnet Hajime is probably the internet’s most advanced IoT botnet, according to an analysis conducted by Radware’s Pascal Geenens. Hajime works by infecting IoT devices before blackhats can get them, billing itself as a whitehat. Radware’s analysis reveals the advanced technical skill required to build the renegade network.
Ars Technica reports that Hajime uses a similar list of usernames and passwords to Mirai, a botnet that gave way to several attacks last year. Hajime works by infecting an IoT device and using malware to block access to four ports that are frequently used to breach security before displaying a message on device terminals saying, “Just a white hat, securing some systems. Important messages will be signed like this! Hajime author. Contact closed. Stay sharp.”
In Radware’s analysis, Geenens found Hajime to be reliable and stealthy in ways that don’t typically assimilate with the botnet hack scene. For instance, Hajime works smarter, not harder, parsing information from login screens to identify manufacturers and then first trying factory default passwords to hack a device. It also uses a BitTorrent peer-to-peer network to issue commands and updates and encrypts node-to-node communications, making it less likely to be taken down by external forces like an ISP. There are a full list of features in Ars Technica’s article, but suffice it to say, there are many.
Geenens research revealed that Hajime is more robust, has more features, and is infecting more devices than its blackhat counterparts, though he acknowledges that blackhats can’t be far behind. “If Hajime is a glimpse into what the future of IoT botnets looks like, I certainly hope that the IoT industry gets its act together and starts seriously considering securing existing and new products. If not, our connected hopes and futures might depend on grey hat vigilante to purge the threat the hard way.”
Though the vulnerabilities of IoT devices are well-known and have been for some time, little has been done to increase their security, presumably the reason for Hajime’s existence.
Geenens and others have speculated about the intentions of the creator of Hajime. Geenens wonders in a blog post if Hajime might be hijacked — earlier versions contained vulnerabilities that have since been fixed, but blackhats are working at the same speed, so there are potentially more. It would be easy, says Geenens, to reverse-engineer and repurpose Hajime to initiate a DDoS attack, perform a vulnerability scanning and set up a massive surveillance network, or leverage the work of a BrickerBot to darken an entire city.
Geenens writes, “For now, however, Hajime is still under control of its original author (or so I hope), and mostly we are considering his intentions to be good. Still, I wonder why this white knight keeps growing his botnet and keeps the devices hostage — searching and scanning aggressively for the next potential victim. If his intentions are good, why not just leave the CWMP rules and improve on them? If the ISP did not apply adequate security, why not make the iptables rules persistent, or keep them volatile but release the device and don’t keep it indefinitely hostage until it is rebooted?”
Sources: Ars Technica, Hajime – Sophisticated, Flexible, Thoughtfully Designed and Future Proof, Hajime – Friend or Foe?
Image Source: Pexels
Learn more about Electronic Products Magazine