Security experts are keeping a close eye on the Hajime botnet, which is now estimated to have passed 300,000 infected IoT devices. By comparison, the Mirai botnet was estimated to be about 400,000 devices, when it was deployed in DDoS attack against Dyn back in 2016, and it was a formidable problem for the comany it targeted.
Both Mirai and Hajime target the same types of IoT devices and use Japanese words – in the case of Mirai, the meaning is “future”, while Hajime means “beginning”.
A recently released report by Symantec brought Hajime back into focus, as most security researchers had been concentrating their research efforts on Mirai. Meanwhile, the newcomer has managed to amass a large number of infected hosts, mainly DVRs, security cameras, and home routers.
The Hajime botnet attacks known weak telnet access to the target devices, or uses a weakness in the TR-064 protocol to manage the routers remotely and take them over, or by using the well known ‘Password of the day‘ attack on Arris/DOCSIS cable modems.
Things we know about Hajime:
- it is still being actively developed, having been updated 6 times since the start of the year
- it spreads very similarly to the mirai botnet, but targets at least two more types of device
- Hajime uses a C+C via P2P protocols
- Hajime bot communications are encrypted
- The owner of the botnet fixed a bug that was published by a security vendor
- Rapidity Networks named the botnet as Hajime, and the owner has continued referring to it as Hajime
It is speculated that the botnet owner might be a whitehat vigilante to is infecting devices to lock out Mirai; because the messages printed on the infected device console read:
Just a white hat, securing some systems.
Important messages will be signed like this!
Hajime Author.
Contact CLOSED
Stay Sharp!
Speculation about whether the botnet author really is a whitehat or not continues. Those that think the author might not be totally benign point to the aggressive scanning and to the fact that the bot continues to stay resident, even though it locks out Mirai attack ports. Other ports are opened and the encrypted communication makes many researchers very wary about declaring the botnet operator a ‘whitehat’.