On October 16, 2016, Rapidity Networks security research group published their analysis of Hajime, a worm currently targeting IoT devices such as routers, DVRs, and CCTV systems. The group claims to have discovered Hajime prior to the release of the Mirai Botnet source code and, because of that, Hajime is unlikely to contain any actual Mirai source code. They speculate that Hajime is it’s still in its propagation phase and is trying to infect as many devices as possible before it begins delivering more malicious and damaging payloads.
Hajime spreads by scanning for devices running Telnet servers using default credentials. There is no evidence of a centralized server being used to distribute this malware, as Hajime communicates over a decentralized overlay network in order to receive software and configuration updates. The researchers also determined that, although Hajime closely resembles Mirai in its discovery and attack phases, it appears to be much more sophisticated.
Hajime scans random IPv4 addresses until it finds a vulnerable device that accepts Telnet connections on TCP port 23. It then launches a brute-force attack, trying several login credential combinations from its hardcoded list. Similar to Mirai, the primary default username and password combination used on the targeted vulnerable devices is root and xc3511. (See Fig. 1 for additional targeted default credential combinations.) If the attack is successful, it begins examining the device and proceeds with the infection process. It then beacons back to the previous node and retrieves a program designed to make the infected device connect to a P2P network in order to retrieve configuration instructions and an additional scanning program. The P2P network that Hajime uses is built upon BitTorrent’s DHT protocol which it uses for node discovery and the uTorrent Transport Protocol (uTP) for the transfer of data. After the scanning program is installed, it scans IPv4 addresses to find more vulnerable devices and the cycle repeats.
Hajime uses several obfuscation techniques including deleting itself from the infected device’s filesystem, changing its process name after execution, and disguising itself as a common Telnet daemon program. It also aims to keep its network footprint small and encrypts its communication across the network. The research group has been witnessing approximately 70 - 100 Hajime attackers per day on their honeypot network. Mitigation strategies for network administrators include blocking UDP packets containing any P2P traffic, block TCP connections containing attack traffic, and block TCP port 4636, the port used by the first stage of the infection.
A more detailed analysis of the Hajime botnet can be found as a downloadable PDF on Rapidity Networks website, here.
Reporting and Technical Details:
- October 2016: Hajime: Analysis of a Decentralized Internet Worm for IoT Devices (Rapidity Networks)
- October 2016: Hajime IoT Worm Considerably More Sophisticated than Mirai (Softpedia)
- April 2017: IoT Malware Clashes in a Botnet Territory Battle (CSO)
- April 2017: Vigilante Hacker Uses Hajime Malware to Wrestle with Mirai Botnets (Bleeping Computer)
- April 2017: Security Experts Worry as Hajime Botnet Grows to 300,000 Bots (Bleeping Computer)