White Hat Worm Takes on IoT Botnet

Ray Walsh

Ray Walsh

April 24, 2017

A white hat hacker has created an Internet of Things (IoT) botnet that fights the dreaded and powerful Mirai botnet (also known as the Mirai worm). The hacktivist is known simply as “Hajime author,” which is how he or she signs off on messages delivered from the command and control (C&C) server that powers the virtuous botnet.

The true identity of the hacker is unknown. However, Hajime was the name given to the worm by the security researchers who discovered it – as opposed to the hacker (who has apparently taken a liking to the name).

The IoT Problem

IoT products are immensely popular, with over 6.4 billion in circulation according to Gartner in 2015. Many people don’t update the default passwords that those products ship with. Even worse, some products have been manufactured without the ability to update passwords at all.

Mirai (also known as Linux.Gafgyt) is a type of malware designed to take advantage of that vulnerability in IoT devices. It harnesses the power of unsecured IoT products located all over the world and uses that power to launch Distributed Denial of Service (DDoS) attacks.

Mirai in the Wild

When Mirai first hit the web last August, the world held its breath as massive DDoS attacks of unprecedented levels began to hit companies. In October 2016, the French web host OVH was hit with an attack bigger than any seen before. The week before, Brian Krebs’ website was hit with an enormous 620Gbps DDoS attack, which forced Google to step in and help the well-known security expert.

It didn’t end there – a few weeks later a DDoS attack on Dyn disrupted the internet on the largest scale ever experienced. Dyn controls much of the internet’s domain name system (DNS) infrastructure. When whoever was controlling Mirai hit the firm with a DDoS attack, it wiped out a number of important websites (including Twitter, the Guardian, Netflix, Reddit, CNN, Pinterest, GitHub, PayPal, Spotify, and Amazon) for several hours.

It is estimated that there are around one billion (one in six) unsecured IoT products in the world. Every time that somebody buys an IoT product and doesn’t secure it with a strong password, it can become a cell in the botnet’s attack infrastructure.

How Does It Spread?

IoT products make use of a Linux-based setting called Transmission Control Protocol (TCP). Botnets like Mirai leverage that message forwarding protocol to spread the software from one device to another. During DDoS attacks, message forwarding also hides the origin of the onslaught.

The Dyn attack was unprecedented, with estimates from the firm touting that the DDoS attack had originated from around “100,000 malicious endpoints.” The attack also proved that, as time goes on, we are more and more likely to see massive web blackouts. Step in Hajime…

Hajime Discovered

When the Hajime worm was first discovered last October, it was largely believed that it was another IoT botnet (like Mirai) still under development. At that time, Hajime only consisted of a self-replication module, which allowed it to spread from one IoT device to another via open and unsecured Telnet ports.

The malware was spreading and infecting IoT products, but for the time being it didn’t serve a purpose – it wasn’t actually being used for anything nefarious. This led the security community to speculate that Hajime may be one to look out for in the future. Whatever it was, Hajime was infecting devices and security experts were quietly worried about the kind of payload that might eventually be delivered onto it.

Legitimate Concerns

Many people speculated that due to IoT botnets like Mirai (and Hajime, which was creeping around in the shadows), 2017 might be the first time that longer lasting internet blackouts were experienced. That fear is still legitimate, because a new Mirai worm is out in the wild that has been launching 54-hour attacks.

Dima Berkerman, a security researcher at Imperva, says that the new Mirai variant is following exactly the same pattern as the original – infecting devices and spreading by continuously scanning the internet for unsecured devices. The Imperva researchers believe that the recent attack on an unnamed US college leveraged around 9,793 CCTV cameras, DVRs and routers.

During the recent DDoS attack, the newer form of the worm delivered a continuous flow of around 30,000 requests per second to its victim nonstop for 54 hours. “This is the most the most we’ve seen out of any Mirai botnet,” Berkerman said.

Hajime vs Mirai

The good news is that it has now become clear that Hajime is actually a vigilante’s attempt to curb the growing problem. Hajime is the work of a good-natured white hat hacker, who is attempting to thwart cybercriminals’ chances of extending malevolent Mirai-type botnets.

It does this by commandeering IoT devices and rendering them incapacitated before they are added to the much more dangerous worm variant. A report by Rapidity Networks explains that Hajime (like Mirai) scans the internet for unsecured devices using various predefined credentials:

“After each pair of credentials, Hajime waits for a response from the target device. If the credentials are rejected, Hajime closes the current connection, reconnects, and tries the next pair. While many of these credential pairs can be found in Mirai (i.e. their hardcoded credentials lists are similar), they differ in their login behavior: Hajime follows its credentials list sequentially, while Mirai makes login attempts in a weighted random order.”

Advanced Worm

Waylon Grange, a senior researcher at Symantec, even goes as far as claiming that Hajime is actually “stealthier and more advanced” than its malevolent counterpart:

“Once on an infected device, it takes multiple steps to conceal its running processes and hide its files on the file system.

“The author can open a shell script to any infected machine in the network at any time, and the code is modular, so new capabilities can be added on the fly. It is apparent from the code that a fair amount of development time went into designing this worm.”

Furthermore, Grange explains that Hajime uses exactly the same username and password combinations that Mirai is programmed to use, plus two more. According to the Symantec report, the botnet has spread significantly during the last few months. This is great news, as it means that the devices that have been infected can no longer fall victim to Mirai.

White Hat Messages

Grange’s blog explains that once Hajime has infected a device it instantly blocks access to ports 23, 7547, 5555, and 5358.   Those are all ports that have been exploited in the past by Mirai-type malware.

Following that, Hajime makes contact with a C&C server and returns a cryptographically-signed message every ten minutes. That message appears to confirm that whoever designed Hajime has no nefarious future plans for the botnet:

What is interesting is that there isn’t a single C&C server. Instead, “the controller pushes command modules to the peer network and the message propagates to all the peers over time. This is typically considered a more robust design as it makes takedowns more difficult.” All in all, Symantec’s researcher praises the worm’s creator for blocking those ports, because it increases the security of infected devices.

Nothing to Worry About?

For now, Hajime appears to be a fairytale. However, the reality is that despite the apparent good-natured motives of Hajime author, it is possible that this is a con. Nobody knows who Hajime’s author really is, and in the last few months, the botnet has spread massively. Modest estimates claim that Hajime is on tens of thousands of devices.

Due to the stealthy nature of Hajime, it is likely to spread much more as time goes on. In addition, whoever designed Hajime is known to have left a backdoor in it. That means that if Hajime’s motives suddenly change, it could be used to mount massive and devastating attacks. Only time will tell if this success story about a vigilante white hat hacker turns out to be a much more clever and dangerous infection vector.

After all, what better way to go about infecting huge numbers of machines than to pretend you are doing it for good? We can only hope that Hajime is indeed the brain-child of a white hat hacker, and, for now, we send Hajime’s author a big thumbs up.

It is worth remembering that both the Mirai and Hajime infections are only temporary. Once an infected device is rebooted, “it goes back to its unsecured state, complete with default passwords and a Telnet open to the world.” Grange explains that this leaves devices in a perpetual “Groundhog Day” type state:

“One day a device may belong to the Mirai botnet, after the next reboot it could belong to Hajime, then the next any of the many other IoT malware/worms that are out there scanning for devices with hardcoded passwords. This cycle will continue with each reboot until the device is updated with a newer, more secure firmware.”

Title image credit: Amirul Syaidi/

Image credits:

WrightStudio/, serato/, SVStudio/, MatiasDelCarmine/, aihumnoi/

Exclusive Offer
Get NordVPN for only