Insecure devices worldwide are being infected by the vigilante Hajime worm, which seeks to block access for the Mirai malware used in denial of service attacks.
Security vendor Symantec said Hajime, which was discovered last October by Rapidity Networks [pdf], is spreading fast, with large numbers of internet of things devices being infected mainly in Brazil, Iran, Thailand, and Russia, as well as Australia.
Hajime spreads in the same way as Mirai, looking for devices with open telnet services and default passwords.
Symantec said once Hajime is installed on a device, the worm blocks access to TCP ports 23, 7547, 5358, and 5555, which are used by Mirai and other malware for network communications.
This prevents Mirai and other worms from attacking the devices.
The author of Hajime coded a message into the worm that displays every ten minutes on device terminals:
"Just a white hat, securing some systems.
Important messages will be signed like this!
Hajime Author.
Contact CLOSED
Stay sharp!"
Unlike Mirai, which has been used in large-scale denial of service attacks, Hajime does not contain attack code, only a propagation module to make it spread over networks.
According to Symantec, Hajime is stealthier and more advanced than Mirai. The worm does not use a command and control server, and relies on a peer-to-peer network structure to make it more difficult to take down.
Hajime also attempts to hide itself once it has infected devices, and provides remote access with a command shell for the worm's author.
Symantec said Hajime's code is modular and new capabilities can be added on the fly.
"It is apparent from the code that a fair amount of development time went into designing this worm," Symantec said.
The spate of Hajime infections follow another IoT worm, BrickerBot, which permanently damages vulnerable devices by "phlashing" them, or issuing commands to delete or corrupt system files.
While BrickerBot does not display a message explaining its intentions, security researchers suspect it to be the work of vigilantes as it targets the same type of open devices as Mirai does.
