Hajime malware now has 300,000 strong botnet at disposal say researchers

In a new report, Kaspersky said that since the malware first appeared in October last year, it has turned into a botnet of 300,000 compromised devices. The malware is billed as a “vigilante”-style worm, fighting for control of IoT devices with the Mirai botnet. It appears to act like a clean-up operation, protecting devices from other types of malware. But researchers said that its real purpose remains unclear.

“While the botnet is getting bigger and bigger, its objective remains unknown. We have not seen its traces in any type of attack or additional malicious activity. Nevertheless, we advise owners of IoT devices to change the password of their devices to one that's difficult to brute force, and to update their firmware if possible," said Konstantin Zykov, senior security researcher at Kaspersky Lab.

The researchers said the malware is continuously evolving, adding and removing features over time. The malware authors are mainly reliant on very low levels of security, according to researchers.

It said that the botnet has no attacking code or capability in Hajime – only a propagation module. It also uses brute-force attacks on device passwords – to infect devices, and then takes several steps to conceal itself from the compromised victim. Thus, the device becomes part of the botnet. Most of the targets have turned out to be Digital Video Recorders, followed by web-cameras and routers.

According to Kaspersky Lab researchers however, Hajime avoids several networks, including those of General Electric, Hewlett-Packard, the US Postal Service, the United States Department of Defence, and several private networks.

Infections had primarily come from Vietnam (over 20 per cent), Taiwan (almost 13 per cent) and Brazil (around 9 per cent) at the time of research.

Elliott Thompson, security consultant, at security consultancy SureCloud, told SC Media UK that like the 2016 Mirai botnet, a Distributed Denial of Service (DDoS) attack is the most likely purpose due to the ease at which these attacks can be executed.

“However, the devices could also be used as gateways into networks for further attacks such as a ransomware infection or data exfiltration,” he said.

““Current IoT botnets have relied upon devices having networks exposing ports with vulnerable services. Many of the affected devices do not have patches available, meaning the only options for mitigation or risk reduction would be to restrict the ports manually using a firewall, or to stop using the devices altogether,” he added.

Hervé Dhelin, SVP Strategy at EfficientIP, told SC Media UK that the problem is being able to detect a low volume attack from many devices.

“Most of the security layers will not see the attack, the traffic being very low it will be under the radar. Enterprises should be able to detect the abnormal behaviour and block or quarantine only non-legitimate requests from those devices,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.