Hajime IoT Malware and DDoS

Posted by:

In the second half of last year, the Mirai (Japanese “Future”) harmful application showed itself with a DYN DDoS attack was done by using exploited devices which can be grouped under the IoT generalization, such as router, modem, camera, dvr, nvr, etc. Mirai application uses the security vulnerabilities comes from very old and weak versions of Linux, which is base operating system on these devices, and/or unchanged default username/password settings on these devices to take control of these devices. On September 22, 2016, Mirai used to attack to Brian Krebs’s blog with reaching 620 Gbps [1] bandwidth and on October 21, 2016, another attack was made to DYN that reached the size of 1.2 Tbps [2] by Mirai. Mirai’s code was published in hackforums on September 30, 2016 by someone who introduced himself as Anna Senpai. When the details were examined, Mirai’s DDoS capabilities seemed clear.

After the release of the code, it showed another harmful side. In the work of Rapidity SRG dated 16 October 2016 [4], they are clearly describing a harmful example that we can say it more innovative. This harm ( Hajime, “start” in Japanese) was spreading through telnet ports on IoT devices like Mirai’s propagation method. But after infection, it uses BitTorrent DHT to find the second stage (stage2) files and to get that files BitTorrent uTP . Hajime distributes the secondary stage code easily by this way. In addition, with the provision of such a flexible secondary stage code, this new harmful is actually becoming a generic platform for subsequent purposes. For example, seized bots can be rented as custom secondary stages. This is a very important development.

As another researchers at the same area Ioannis Profetis talks about some changes in the current version of Hajime [5] in a recent blog post. There are comments that Hajime actually protects the infected system from being infected by other malware, along with changes such as the switch to Wget for downloads and the blocking of access to some ports, especially the telnet in the system that was infected after infection. Insomuch that, it was reported that it was a defensive system that protects the systems which written by gray hat hackers. [6]

I’m not agree with the gray hat hackers comments about hajime. The fact that closing the relevant ports may mean that Hajime’s purpose is this, as well as the inability to accept someone else in this place, that is, ownership. In addition, easily changeable secondary stage files are preparing a platform which can be used for DDoS and similar attacks in the future. In fact, the use of Bittorrent infrastructure in the first design is also pointing to this point.

Hajime is not the only one in attack approach to block these attacks. Brickerbot harmful application which is discovered recently makes IoT devices inoperable not to be infected. You may want to look at the “ruthless” command lines about how it makes inoperable this devices. [7]

In the meantime, it is also interesting that Hajime name which is given by first researchers to it is accepted by the writers of Hajime in the current versions and that they express themselves in this way. Hajime has reached to 300.000 devices currently.

If you are reading this post as an end user, do not leave pre-defined passwords for the devices like modem, camera, dvr etc. And turn off the telnet and ssh access ports if they not needed.

If you are a technical researcher, the following links will attract your interest. You may also be interested with the writing about how Brian Krebs traces the author of Mirai [8].

If you are an enterprise, consider deploying Layer7 DDoS protection measures.

  1. https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
  2. http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/
  3. https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
  4. https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf
  5. https://x86.re/blog/hajime-a-follow-up/
  6. https://arstechnica.com/security/2017/04/vigilante-botnet-infects-iot-devices-before-blackhats-can-hijack-them/?comments=1
  7. https://www.bleepingcomputer.com/news/security/new-malware-intentionally-bricks-iot-devices/
  8. https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

HARPP DDoS Mitigator is listed as one of the “Key Innovators” in MarketsandMarkets’ DDoS Protection and Mitigation Market – Forecast to 2021 Report.

Posted by:

The research report, segments the DDoS protection market by Component (Solution, and Service), Application Area (Network, Application, Database, and Endpoint), Deployment Mode, Organization Size, Vertical, and Region.

Labris Networks is listed as one of Key Innovators in the 15th chapter of the report with its AI (Artifical Intelligence) based L7, CPE DDoS Mitigation product line and integrated SOC and CERT services.Labris Networks is the game changer player in the market with its technology and business model innovations.

About MarketsandMarkets:
MarketsandMarkets is the largest market research firm worldwide in terms of premium market research reports published annually. Serving 1,700 Fortune organizations globally with more than 1200 premium studies in a year, MarketsandMarkets caters to multitude of clients across 12 different industry verticals.

Author Details:
Shreyas Waikar
Industry Analyst, Information Security at MarketsandMarkets

Additional information is reachable from the report’s page.

Harpp DDoS Mitigator Markets&Markets Key Innovator Forecast 2021


Check out HARPP DDoS CERT Statistics from Labris Networks’ 2016 Cyber Security Report and 2017 Forecast

Posted by:

Classic network threats have been evolved to threats that are encrypted and disguised in application traffics.

Labris Networks has released 2016 Cyber Security Report. The report is published in the light of cyber treats responded by Labris Security Operations Center (SOC) throughout the year. The report also provides insights to the year 2017. Read the full report and the statistics from http://labrisnetworks.com/labris-soc-annual-report/

In 2016, cyber-attacks attempted to threaten daily life of the people. Countries used cyber-attacks as a tool to impact and suppress each other. Yet, the bright side is while the level of treats is increasing, the awareness to these is growing beyond the specialized authorities. From the highest government representatives to the regular citizens who are not even computer literate, the consciousness has been more and more advanced. It has been accepted that cyber-attacks are the natural part of the process while analyzing the critical daily events.

“Attacks and defense are getting smarter”

Need for cyber security products that have artificial intelligence and can scan on the application level is becoming critical. The increasing speed of the traffic and the growing need for inspection performance make it essential that different tasks should be done on different network layers.

The percentage of DDoS attacks performed on L7 application has been reached up to 69%. This reveals the fact that L7 DDoS inspection products with artificial intelligence and located on the entrance of the network as CPE, have become a fundamental defense line.

“Significance of services delivered by trusted experts is increasing”

It is highly critical that services like Security Operations Centers (SOC) and Computer Emergency Response Teams (CERT) should be delivered in a competitive market.

It becomes necessary that security layers should be developed with trusted parties, cyber security awareness of all computer users to be increased; and cyber security of the entities to be supported by local cyber security centers in order to be a forerunner in the cyber space.

This detailed report published by Labris Networks, aims to increase the awareness of the entire private, government and military entities against the risks. Labris Networks highlights the preventions against security risks cannot be achieved merely with the product but with a unified solution including product, service and know-how.

Read the full report and the infographics from http://labrisnetworks.com/labris-soc-annual-report/