Vigilante IoT worm Hajime hits Australia

By on
Vigilante IoT worm Hajime hits Australia

Blocks access for Mirai malware.

Insecure devices worldwide are being infected by the vigilante Hajime worm, which seeks to block access for the Mirai malware used in denial of service attacks.

Security vendor Symantec said Hajime, which was discovered last October by Rapidity Networks [pdf], is spreading fast, with large numbers of internet of things devices being infected mainly in Brazil, Iran, Thailand, and Russia, as well as Australia.

Hajime spreads in the same way as Mirai, looking for devices with open telnet services and default passwords.

Symantec said once Hajime is installed on a device, the worm blocks access to TCP ports 23, 7547, 5358, and 5555, which are used by Mirai and other malware for network communications.

This prevents Mirai and other worms from attacking the devices.

The author of Hajime coded a message into the worm that displays every ten minutes on device terminals:

"Just a white hat, securing some systems.

Important messages will be signed like this!

Hajime Author.

Contact CLOSED

Stay sharp!"

Unlike Mirai, which has been used in large-scale denial of service attacks, Hajime does not contain attack code, only a propagation module to make it spread over networks.

According to Symantec, Hajime is stealthier and more advanced than Mirai. The worm does not use a command and control server, and relies on a peer-to-peer network structure to make it more difficult to take down.

Hajime also attempts to hide itself once it has infected devices, and provides remote access with a command shell for the worm's author.

Symantec said Hajime's code is modular and new capabilities can be added on the fly.

"It is apparent from the code that a fair amount of development time went into designing this worm," Symantec said.

The spate of Hajime infections follow another IoT worm, BrickerBot, which permanently damages vulnerable devices by "phlashing" them, or issuing commands to delete or corrupt system files.

While BrickerBot does not display a message explaining its intentions, security researchers suspect it to be the work of vigilantes as it targets the same type of open devices as Mirai does.

Copyright © iTnews.com.au . All rights reserved.
Tags:
hajime iot mirai security symantec

Most Read Articles

Ransomware strikes Victorian speed cameras

Ransomware strikes Victorian speed cameras
Ombudsman stunned by Vic CIO's 'calculated nepotism'

Ombudsman stunned by Vic CIO's 'calculated nepotism'
Foxtel turns to data and digital to take on Netflix

Foxtel turns to data and digital to take on Netflix
First NBN FTTC areas unlikely to be able to order retail service

First NBN FTTC areas unlikely to be able to order retail service
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Optimising Enterprise Data Centres for the Cloud
Optimising Enterprise Data Centres for the Cloud
Growing companies have a growing interest in technology
Growing companies have a growing interest in technology
RSA NetWitness® Endpoint. Respond 3X Faster to Threats
RSA NetWitness® Endpoint. Respond 3X Faster to Threats
Building platforms for future health and education
Building platforms for future health and education
Breach Level Index Report
Breach Level Index Report

Events

Log In

Username:
Password:
|  Forgot your password?