Mirai has made the headlines several times in recent months. First detected back in October 2016, Mirai exploits known vulnerabilities in insecure Internet of Things (IoT) products to construct giant botnets. It then uses the masses of devices accumulated to overwhelm web servers with artificial traffic.
Mirai is now being followed around the web by a worm called Hajime. It was also discovered in October 2016 and, like Mirai, travels the Internet in search of vulnerable IoT products. It looks for the same devices as Mirai and provides identical username and password configurations. There are significant differences in its design that signal it’s not a direct clone though.
Most notably, Hajime uses a peer-to-peer network to communicate with its controller. Compared with Mirai’s hardcoded command and control server, Hajime’s peer-to-peer system makes it harder to be shutdown. Cybersecurity firm Symantec explained that Hajime’s creator pushes command signals into the peer network. They’re then incrementally pushed to connected devices.
Beyond searching for vulnerable devices, Hajime doesn’t carry any malicious capabilities. Despite featuring a modular architecture, it lacks any way to create the giant botnets Mirai is famous for. It carries only the code needed to get into the target device. Once installed, it retrieves a single message from its creator to display on the product’s terminal. The actor claims to be “just a white hat, securing some systems,” warning the device’s owner to “stay sharp.”
Security researchers have not been able to confirm whether Hajime is as benign as it appears. However, it seems to be living up to its claims, actually improving the security of affected devices once installed. It blocks access to the ports regularly targeted by Mirai, preventing the botnet from getting established.
Hajime isn’t the first vigilante effort to stop the spread of botnets. A script that travelled the web in 2015 claimed to bolster the security of its targets in much the same way Hajime is now. While the white-hat worms are currently helping defend against Mirai, researchers have warned their creators possess the ability to weaponize the software at any time.
“There is a question around trusting that the author is a true white hat and is only trying to secure these systems, as they are still installing their own backdoor on the system,” said Symantec of Hajime. “The modular design of Hajime also means if the author’s intentions change they could potentially turn the infected devices into a massive botnet.”
Hajime serves to illustrate how the face of cyberwarfare is changing. With worms now being designed to defend against other worms, vigilante hackers are demonstrating that malicious black-hat actors aren’t the only people with the tools to control IoT devices.
As Hajime’s purpose is unclear and its author’s identity remains unknown, owners of vulnerable products should make sure their device is protected. A good place to start is setting strong passwords for each user account and deleting the factory credentials. This prevents Mirai from installing itself using one of its known user accounts.