Mirai, the botnet that threatened the Internet as we knew it last year with record-setting denial-of-service attacks, is facing an existential threat of its own: A competing botnet known as Hajime has infected at least 10,000 home routers, network-connected cameras, and other so-called Internet of Things devices.
Hajime uses a decentralized peer-to-peer network to issue commands and updates to infected devices. This design makes it more resistant to takedowns by ISPs and Internet backbone providers. Hajime uses the same list of user name and password combinations Mirai uses, with the addition of two more. It also takes steps to conceal its running processes and files, a feature that makes detecting infected systems more difficult. Most interesting of all: Hajime appears to be the brainchild of a grayhat hacker, as evidenced by a cryptographically signed message it displays every 10 minutes or so on terminals. The message reads:
Just a white hat, securing some systems.
Important messages will be signed like this!
Another sign Hajime is a vigilante-style project intended to disrupt Mirai and similar IoT botnets: It blocks access to four ports known to be vectors used to attack many IoT devices. Hajime also lacks distributed denial-of-service capabilities or any other attacking code except for the propagation code that allows one infected device to seek out and infect other vulnerable devices.
Hajime isn’t the first botnet to shows signs its mission is to take out poorly secured Internet devices. Two weeks ago, researchers uncovered IoT malware they dubbed BrickerBot. BrickerBot gets its name because it attempts to damage routers and other Internet-connected appliances so badly that they become effectively inoperable, or “bricked.” In 2015, researchers from security provider Symantec exposed Wifatch, a piece of Linux malware that works much the way Hajime does.
There’s a temptation to applaud Hajime and its companions because they take aim at one of the great Internet scourges. In a blog post published Tuesday, Symantec engineer Waylon Grange makes a compelling case why that assessment would be misguided. He wrote:
The problem with these white worms is that they usually turn out to have a short lifespan. That is because their effects are only temporary. On the typical IoT system affected by these worms, the changes made to improve the security are only in RAM and not persistent.
Once the device is rebooted it goes back to its unsecured state, complete with default passwords and a Telnet open to the world. To have a lasting effect, the firmware would need to be updated. It is extremely difficult to update the firmware on a large scale because the process is unique to each device and in some cases is not possible without physical access. And so, we are left with embedded devices stuck in a sort of Groundhog Day time loop scenario. One day a device may belong to the Mirai botnet, after the next reboot it could belong to Hajime, then the next, any of the many other IoT malware/worms that are out there scanning for devices with hardcoded passwords. This cycle will continue with each reboot until the device is updated with a newer, more secure firmware.
Aside from the long-term inefficacy of Hajime, the fact remains that what its designer is doing—surreptitiously installing a backdoor without permission on tens of thousands of devices—is both unethical and illegal in most jurisdictions around the world. For this reason, I’m characterizing it as a grayhat project rather than a whitehat one, as Grange and the Hajime developer do. Illegal as they are, Hajime and BrickerBot are understandable and possibly inevitable reactions to the proliferation of poorly secured IoT devices, a vexing problem that seems to only be getting worse.