Vigilante IoT worm Hajime hits Australia

By on
Vigilante IoT worm Hajime hits Australia

Blocks access for Mirai malware.

Insecure devices worldwide are being infected by the vigilante Hajime worm, which seeks to block access for the Mirai malware used in denial of service attacks.

Security vendor Symantec said Hajime, which was discovered last October by Rapidity Networks [pdf], is spreading fast, with large numbers of internet of things devices being infected mainly in Brazil, Iran, Thailand, and Russia, as well as Australia.

Hajime spreads in the same way as Mirai, looking for devices with open telnet services and default passwords.

Symantec said once Hajime is installed on a device, the worm blocks access to TCP ports 23, 7547, 5358, and 5555, which are used by Mirai and other malware for network communications.

This prevents Mirai and other worms from attacking the devices.

The author of Hajime coded a message into the worm that displays every ten minutes on device terminals:

"Just a white hat, securing some systems.

Important messages will be signed like this!

Hajime Author.

Contact CLOSED

Stay sharp!"

Unlike Mirai, which has been used in large-scale denial of service attacks, Hajime does not contain attack code, only a propagation module to make it spread over networks.

According to Symantec, Hajime is stealthier and more advanced than Mirai. The worm does not use a command and control server, and relies on a peer-to-peer network structure to make it more difficult to take down.

Hajime also attempts to hide itself once it has infected devices, and provides remote access with a command shell for the worm's author.

Symantec said Hajime's code is modular and new capabilities can be added on the fly.

"It is apparent from the code that a fair amount of development time went into designing this worm," Symantec said.

The spate of Hajime infections follow another IoT worm, BrickerBot, which permanently damages vulnerable devices by "phlashing" them, or issuing commands to delete or corrupt system files.

While BrickerBot does not display a message explaining its intentions, security researchers suspect it to be the work of vigilantes as it targets the same type of open devices as Mirai does.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
hajime iot mirai security symantec
In Partnership With

Most Read Articles

Telstra, Optus and Vodafone temporarily block websites after Christchurch attack

Telstra, Optus and Vodafone temporarily block websites after Christchurch attack
Millennials might swipe, can't screw: Bunnings boss nails omnichannel

Millennials might swipe, can't screw: Bunnings boss nails omnichannel
Govt to spend $220m on mobile, co-fund NBN area switches

Govt to spend $220m on mobile, co-fund NBN area switches
SAP ousts in-house programmers

SAP ousts in-house programmers
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

How Macquarie University has prepared for fire and flood
How Macquarie University has prepared for fire and flood
Guide to Fully-Composable Software-Defined Private Cloud
Guide to Fully-Composable Software-Defined Private Cloud
Is slow data silently killing your business? Here's why you should care.
Is slow data silently killing your business? Here's why you should care.
Cloud, AI, infosec: Is your IT strategy keeping up?
Cloud, AI, infosec: Is your IT strategy keeping up?
Australian business moves to a new cloud era
Australian business moves to a new cloud era

Events

Log In

Username / Email:
Password:
  |  Forgot your password?