The Hajime malware is competing with the Mirai malware to enslave some internet of things devices<\/b>
Mirai\u2014a notorious malware that\u2019s been enslaving IoT devices\u2014has competition.
A rival piece of programming has been infecting some of the same easy-to-hack internet-of-things (IoT) products, with a resiliency that surpasses Mirai, according to security researchers.
\u201cYou can almost call it Mirai on steroids,\u201d said Marshal Webb, CTO at BackConnect , a provider of services to protect against distributed denial-of-service (DDoS) attacks.
Security researchers have dubbed the rival IoT malware Hajime, and since it was discovered more than six months ago, it\u2019s been spreading unabated and creating a botnet. Webb estimates it\u2019s infected about 100,000 devices across the globe.
These botnets, or networks of enslaved computers, can be problematic. They\u2019re often used to launch massive DDoS attacks that can take down websites or even disrupt the internet\u2019s infrastructure.
That\u2019s how the Mirai malware grabbed headlines last October. A DDoS attack from a Mirai-created botnet targeted DNS provider Dyn, which shut down and slowed internet traffic across the U. S.
Hajime was first discovered in the same month, when security researchers at Rapidity Networks were on the lookout for Mirai activity. What they found instead was something similar, but also more tenacious.
Like Mirai, Hajime also scans the internet for poorly secured IoT devices like cameras, DVRs, and routers. It compromises them by trying different username and password combinations and then transferring a malicious program.
However, Hajime doesn\u2019t take orders from a command-and-control server like Mirai-infected devices do. Instead, it communicates over a peer-to-peer network built off protocols used in BitTorrent, resulting in a botnet that\u2019s more decentralized\u2014and harder to stop.
\u201cHajime is much, much more advanced than Mirai,\u201d Webb said. \u201cIt has a more effective way to do command and control.\u201d
Broadband providers have been chipping away at Mirai-created botnets, by blocking internet traffic to the command servers they communicate with. In the meantime, Hajime has continued to grow 24\/7, enslaving some of the same devices. Its peer-to-peer nature means many of the infected devices can relay files or instructions to the rest of the botnet, making it more resilient against any blocking efforts.
Hajime infection attempts (blue) vs. Mirai infection attempts (red), according to a honeypot from security researcher Vesselin Bontchev.
Who\u2019s behind Hajime? Security researchers aren\u2019t sure. Strangely, they haven\u2019t observed the Hajime botnet launching any DDoS attacks\u2014which is good news. A botnet of Hajime\u2019s scope is probably capable of launching a massive one similar to what Mirai has done.
\u201cThere\u2019s been no attribution. Nobody has claimed it,\u201d said Pascal Geenens, a security researcher at security vendor Radware.
However, Hajime does continue to search the internet for vulnerable devices. Geenens\u2019 own honeypot, a system that tracks botnet activity, has been inundated with infection attempts from Hajime-controlled devices, he said.
So the ultimate purpose of this botnet remains unknown. But one scenario is it\u2019ll be used for cybercrime to launch DDoS attacks for extortion purposes or to engage in financial fraud.
\u201cIt\u2019s a big threat forming,\u201d Geenens said. \u201cAt some point, it can be used for something dangerous.\u201d
It\u2019s also possible Hajime might be a research project. Or, in a possible twist, maybe it\u2019s a vigilante security expert out to disrupt Mirai.
So far, Hajime appears to be more widespread than Mirai, said Vesselin Bontchev , a security expert at Bulgaria\u2019s National Laboratory of Computer Virology.
However, there\u2019s another key difference between the two malware. Hajime has been found infecting a smaller pool of IoT devices using ARM chip architecture.
That contrasts from Mirai, which saw its source code publicly released in late September. Since then, copycat hackers have taken the code and upgraded the malware. Vesselin has found Mirai strains infecting IoT products that use ARM, MIPS, x86, and six other platforms.
That means the clash between the two malware doesn\u2019t completely overlap. Nevertheless, Hajime has stifled some of Mirai\u2019s expansion.
\u201cThere\u2019s definitely an ongoing territorial conflict,\u201d said Allison Nixon, director of security research at Flashpoint.
To stop the malware, security researchers say it\u2019s best to tackle the problem at its root, by patching the vulnerable IoT devices. But that will take time and, in other cases, it might not even be possible. Some IoT vendors have released security patches for their products to prevent malware infections, but many others have not, Nixon said.
That means Hajime and Mirai will probably stick around for a long time, unless those devices are retired.
\u201cIt will keep going,\u201d Nixon said. \u201cEven if there\u2019s a power outage, [the malware] will just be back and re-infect the devices. It\u2019s never going to stop.\u201d<\/p>\n