Move over, Mirai, another botnet is taking aim at Internet of Things (IoT) devices. The interesting twist is that nobody is sure if the new entrant, Hajime, aims at causing destruction or at preventing Mirai and other botnets from doing so.
Security firm Kaspersky Lab claimed that Hajime, which means “beginning” in Japanese, is a distributed denial of service (DDoS) botnet that has infected more than 300,000 IoT devices. The botnet has at least a couple of ways of attacking IoT devices, including one that specifically attacks Arris cable modems, says eweek. The botnet is worldwide, but about half of the infected devices are in Iran, Brazil, Vietnam, the Russian Federation and Turkey. Digital video recorders (DVSs) and IoT-connected video systems are the favored targets.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
Securelist, a blog from Kaspersky, provides technical information, and differs in some details from eWeek. For instance, it says that almost (not more than) 300,000 devices have been affected. It also replaces China for the Russian Republic in the list of top victims.
The drama around Hajime centers on its raison d'être. Securelist puts it simply: “The most intriguing thing about Hajime is its purpose.” There is speculation that Hajime, which was discovered last year, is aimed at pushing back against Mirai and malware.
Waylon Grange, in a post on Symantec’s site, notes that Hajime doesn’t have a DDoS module, which implies it is not evil, and closes down four ports on devices that Mirai may use to gain control. It even delivers a positive message (“Just a white hat, securing some systems. Important messages will be signed like this! Hajime Author. Contact CLOSED Stay sharp!")
That’s a strong circumstantial case for the conclusion that Hajime is beneficial. Nothing is certain in the scary and fun world of computer security, however. Just because somebody says that their code is good doesn’t mean that it is so:
The above message is cryptographically signed and the worm will only accept messages signed by a hardcoded key, so there is little question that this message is from the worm’s true author. However, there is a question around trusting that the author is a true white hat and is only trying to secure these systems, as they are still installing their own backdoor on the system. The modular design of Hajime also means if the author’s intentions change they could potentially turn the infected devices into a massive botnet.
Grange notes that this isn’t the first time that white hats (good hackers) have claimed to author vigilante software aimed at helping secure the internet from attackers. Whether Hajime is one of them, or bad malware posing as good, remains to be seen.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.