Symantec researchers have discovered a new worm, known as Hajime, infecting tens of thousands of IoT (Internet of Things) products which seems to have a single purpose – prevent Mirai from taking over.
The Mirai is a notorious malware that has infected countless IoT devices, turning them into bots for various for-hire DDoS attacks and more.
Hajime was first discovered by researchers in October of last year, spreading via unsecured devices that have open Telnet ports and use default passwords. This is pretty much the same technique Mirai uses to get into devices.
Unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.
“There isn’t a single C&C server address, instead the controller pushes command modules to the peer network and the message propagates to all the peers over time. This is typically considered a more robust design as it makes takedowns more difficult.” reads the analysis published by Symantec.
Symantec has tracked infections all over the world as Hajime has been spreading quickly. Researchers have some questions about whether the individual behind Hajime is really a White Hat simply trying to secure devices.
Once on a device, Hajime truly works to secure it by blocking access to ports 23, 7547, 5555, and 5358, which are often exploited.
“Once the device is rebooted it goes back to its unsecured state, complete with default passwords and a Telnet open to the world. To have a lasting effect, the firmware would need to be updated. It is extremely difficult to update the firmware on a large scale because the process is unique to each device and in some cases is not possible without physical access,” Symantec said.