Vigilante IoT worm Hajime hits Australia

By on
Vigilante IoT worm Hajime hits Australia

Blocks access for Mirai malware.

Insecure devices worldwide are being infected by the vigilante Hajime worm, which seeks to block access for the Mirai malware used in denial of service attacks.

Security vendor Symantec said Hajime, which was discovered last October by Rapidity Networks [pdf], is spreading fast, with large numbers of internet of things devices being infected mainly in Brazil, Iran, Thailand, and Russia, as well as Australia.

Hajime spreads in the same way as Mirai, looking for devices with open telnet services and default passwords.

Symantec said once Hajime is installed on a device, the worm blocks access to TCP ports 23, 7547, 5358, and 5555, which are used by Mirai and other malware for network communications.

This prevents Mirai and other worms from attacking the devices.

The author of Hajime coded a message into the worm that displays every ten minutes on device terminals:

"Just a white hat, securing some systems.

Important messages will be signed like this!

Hajime Author.

Contact CLOSED

Stay sharp!"

Unlike Mirai, which has been used in large-scale denial of service attacks, Hajime does not contain attack code, only a propagation module to make it spread over networks.

According to Symantec, Hajime is stealthier and more advanced than Mirai. The worm does not use a command and control server, and relies on a peer-to-peer network structure to make it more difficult to take down.

Hajime also attempts to hide itself once it has infected devices, and provides remote access with a command shell for the worm's author.

Symantec said Hajime's code is modular and new capabilities can be added on the fly.

"It is apparent from the code that a fair amount of development time went into designing this worm," Symantec said.

The spate of Hajime infections follow another IoT worm, BrickerBot, which permanently damages vulnerable devices by "phlashing" them, or issuing commands to delete or corrupt system files.

While BrickerBot does not display a message explaining its intentions, security researchers suspect it to be the work of vigilantes as it targets the same type of open devices as Mirai does.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
hajime iot mirai security symantec
In Partnership With

Most Read Articles

TPG suffers Australia-wide internet problems

TPG suffers Australia-wide internet problems
AWS suffers cloud problems in Sydney region

AWS suffers cloud problems in Sydney region
Optus breaks silence on NBN Co's enterprise behaviour

Optus breaks silence on NBN Co's enterprise behaviour
Apple pushes back against EU common charger

Apple pushes back against EU common charger
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Are you getting profitable outcomes from your IT?
Are you getting profitable outcomes from your IT?
Your Microsoft Security journey starts here
Your Microsoft Security journey starts here
Is your AWS framework well-architected?
Is your AWS framework well-architected?
Why you should reassess your cybersecurity posture
Why you should reassess your cybersecurity posture
How will you manage the cloud data deluge?
How will you manage the cloud data deluge?

Events

Log In

Username / Email:
Password:
  |  Forgot your password?