Vigilante IoT worm Hajime hits Australia

By on
Vigilante IoT worm Hajime hits Australia

Blocks access for Mirai malware.

Insecure devices worldwide are being infected by the vigilante Hajime worm, which seeks to block access for the Mirai malware used in denial of service attacks.

Security vendor Symantec said Hajime, which was discovered last October by Rapidity Networks [pdf], is spreading fast, with large numbers of internet of things devices being infected mainly in Brazil, Iran, Thailand, and Russia, as well as Australia.

Hajime spreads in the same way as Mirai, looking for devices with open telnet services and default passwords.

Symantec said once Hajime is installed on a device, the worm blocks access to TCP ports 23, 7547, 5358, and 5555, which are used by Mirai and other malware for network communications.

This prevents Mirai and other worms from attacking the devices.

The author of Hajime coded a message into the worm that displays every ten minutes on device terminals:

"Just a white hat, securing some systems.

Important messages will be signed like this!

Hajime Author.

Contact CLOSED

Stay sharp!"

Unlike Mirai, which has been used in large-scale denial of service attacks, Hajime does not contain attack code, only a propagation module to make it spread over networks.

According to Symantec, Hajime is stealthier and more advanced than Mirai. The worm does not use a command and control server, and relies on a peer-to-peer network structure to make it more difficult to take down.

Hajime also attempts to hide itself once it has infected devices, and provides remote access with a command shell for the worm's author.

Symantec said Hajime's code is modular and new capabilities can be added on the fly.

"It is apparent from the code that a fair amount of development time went into designing this worm," Symantec said.

The spate of Hajime infections follow another IoT worm, BrickerBot, which permanently damages vulnerable devices by "phlashing" them, or issuing commands to delete or corrupt system files.

While BrickerBot does not display a message explaining its intentions, security researchers suspect it to be the work of vigilantes as it targets the same type of open devices as Mirai does.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
hajime iot mirai security symantec
In Partnership With

Most Read Articles

Route leak causes internet problems worldwide

Route leak causes internet problems worldwide
Tap-and-go fee gouging explodes

Tap-and-go fee gouging explodes
Woolworths promotes Agile boss to manage group transformation

Woolworths promotes Agile boss to manage group transformation
NAB gives three people $666m each to lend on tech

NAB gives three people $666m each to lend on tech
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Follow these steps to prevent targeted attacks
Follow these steps to prevent targeted attacks
Is your cybersecurity knowledge out of date?
Is your cybersecurity knowledge out of date?
Your mobile devices may not be secure – learn how to fix that
Your mobile devices may not be secure – learn how to fix that
Don’t risk your business – learn how to protect your cloud assets
Don’t risk your business – learn how to protect your cloud assets
Accelerate your cloud adoption - Go Fast, Securely
Accelerate your cloud adoption - Go Fast, Securely

Events

Log In

Username / Email:
Password:
  |  Forgot your password?