Meet Hajime, the IoT Botnet Built to Vaccinate Your Devices Against Mirai
Viruses remain fascinating. We don’t know whether they predate more complex forms of life, like bacteria, or descended from them. Viruses have complex relationships with bacteria, one infectious agent preying on or competing with another. The Russians used phage therapy for years, injecting their soldiers with highly specialized viruses called “bacteriophages” that only prey on the bacteria causing an infection. In the same fashion there’s coevolution in computer systems, with software springing up just to deal with problems in one program, or add functionality to another, like lateral gene transfer.
You may have heard of Mirai, a botnet that can turn your possessions into a vector for DDOS attacks (or ).
In October of 2016, reports surfaced targeting devices on the so-called “Internet of Things.” Since “mirai” is the Japanese word for “future,” Rapidity decided to name the newfound piece of malware “Hajime,” which in Japanese can mean “beginning.”
Hajime infections. Image by Symantec.
Based on time stamps and other characteristics in the code, its discoverers believe Hajime was active prior to the release of the Mirai botnet’s source code. Assuming the truth of these time stamps, it’s unlikely that Hajime contains any authentic Mirai source code. Hajime does use the same table of credentials Mirai uses to attempt to assert control over IoT-enabled devices, plus two. But otherwise, there’s little resemblance.
Hajime is based on the BitTorrent protocol and has no central command-and-control server. It’s more like a vaccine than a phage or virus, in that it doesn’t contain any DDoS capabilities, just the code for propagation. Hajime tries to gain access to IoT-enabled devices too. It sneaks in, covering its tracks. Then it blocks four ports Mirai is known to attack. It leaves in its wake a message:
Just a white hat, securing some systems.
Important messages will be signed like this!
Hajime Author.
Contact CLOSED
Stay sharp!
Even if the author is as benevolent as he claims, the worm is still trying to access a backdoor, which would give it the option to push more malicious or damaging payloads to infected devices. There’s reason to speculate that Hajime is perhaps closer to a gray hat action, in that it could still be in its “latent” phase — like a virus lying dormant inside cells, just trying to infect as many devices as possible. What happens next is a familiar strategy to those who have played Pandemic or Plague, Inc., or perhaps the microbiologists among us: viruses also have a lytic phase that results in the destruction of the host cell. That’s when the symptoms show up. So you have to infect as many as possible before allowing your plague to betray more destructive symptoms of infection. Only once a critical density of hosts is achieved is it safe to go in for the kill.
In the end, however well-intentioned, Hajime is only a band-aid. As soon as the infected device is rebooted, it goes back to its previously vulnerable state, with ports open. The only real cure is updating firmware, which Hajime can’t do. So go update your toaster.
Now read: