The Hajime malware family, which was first uncovered [PDF] by Rapidity Networks researchers last fall, is increasingly competing with the Mirai botnet to infect Internet of Things (IoT) devices.
"Unlike Mirai, which uses hardcoded addresses for its command and control (C&C) server, Hajime is built on a peer-to-peer network," Symantec senior threat researcher Waylon Grange notes in a blog post examining the threat. "There isn't a single C&C server address, instead the controller pushes command modules to the peer network and the message propagates to all the peers over time. This is typically considered a more robust design as it makes takedowns more difficult."
Hajime also does far more to conceal itself than Mirai, and allows the author to open a shell script to any infected machine at any time. "It is apparent from the code that a fair amount of development time went into designing this worm," Grange writes.
Symantec estimates that Hajime's peer-to-peer network numbers in the tens of thousands of devices, with the majority of infections in Brazil, Iran, Thailand and the Russian Federation.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Malware Without a Cause
Still, it's not clear at this point what Hajime's purpose is -- while it does install a backdoor, it doesn't leverage that access to launch DDoS attacks or deliver malicious code. It just diplays the following message every 10 minutes: "Just a white hat, securing some systems. Important messages will be signed like this! Hajime Author. Contact CLOSED Stay sharp!"
"To the author's credit, once the worm is installed it does improve the security of the device," Grange writes. "It blocks access to ports 23, 7547, 5555 and 5358, which are all ports hosting services known to be exploitable on many IoT devices. Mirai is known to target some of these ports."
But it's impossible to know what the author's real intentions may be. "The power of this number of bot soldiers can be used in many various ways," Imperva director of security research Itsik Mantin told eSecurity Planet by email. "Are we expected to see from this botnet intensive DDoS attacks on victim Web servers like Mirai, distributed brute force attempts on login pages, or scanning websites for SQL injection vulnerabilities?"
"What most disturbs me here is the fact that this trend is likely to stay with us for at least a couple of years," Mantin added. "Existing botnets remain active until the devices are patched or retired, which in IoT devices can take years. Moreover, new connected devices are continually being released to the field without adequate protection, providing easy prey for the next IoT worm."
Proactive Steps to Take
Symantec's Grange suggests taking the following steps to protect IoT devices on your network:
- Research the capabilities and security features of an IoT device before purchase
- Perform an audit of IoT devices used on your network
- Change the default credentials on devices. Use strong and unique passwords for device accounts and Wi-Fi networks
- Use a strong encryption method when setting up Wi-Fi network access (WPA)
- Disable features and services that are not required
- Disable Telnet login and use SSH where possible
- Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary
- Modify the default privacy and security settings of IoT devices according to your requirements and security policy
- Disable or protect remote access to IoT devices when not needed
- Use wired connections instead of wireless where possible
- Regularly check the manufacturer's website for firmware updates
- Ensure that a hardware outage does not result in an unsecure state of the device
According to the results of a recent Lieberman Software survey of almost 160 RSA Conference attendees, more than 80 percent of IT professionals worry about the potential for attacks originating through their IoT devices.
While 40 percent of respondents have more than 500 IoT devices on their network, more than 50 percent admitted they don't have a process for changing default passwords on IoT devices.
"The responses to this survey are a good representation of the emerging threat of unsecured IoT devices," Lieberman Software president and CEO Philip Lieberman said in a statement. "Every one of these connected devices has an administrative back door that poses a risk."