Hajime IoT Malware and DDoS

Posted by:

In the second half of last year, the Mirai (Japanese “Future”) harmful application showed itself with a DYN DDoS attack was done by using exploited devices which can be grouped under the IoT generalization, such as router, modem, camera, dvr, nvr, etc. Mirai application uses the security vulnerabilities comes from very old and weak versions of Linux, which is base operating system on these devices, and/or unchanged default username/password settings on these devices to take control of these devices. On September 22, 2016, Mirai used to attack to Brian Krebs’s blog with reaching 620 Gbps [1] bandwidth and on October 21, 2016, another attack was made to DYN that reached the size of 1.2 Tbps [2] by Mirai. Mirai’s code was published in hackforums on September 30, 2016 by someone who introduced himself as Anna Senpai. When the details were examined, Mirai’s DDoS capabilities seemed clear.

After the release of the code, it showed another harmful side. In the work of Rapidity SRG dated 16 October 2016 [4], they are clearly describing a harmful example that we can say it more innovative. This harm ( Hajime, “start” in Japanese) was spreading through telnet ports on IoT devices like Mirai’s propagation method. But after infection, it uses BitTorrent DHT to find the second stage (stage2) files and to get that files BitTorrent uTP . Hajime distributes the secondary stage code easily by this way. In addition, with the provision of such a flexible secondary stage code, this new harmful is actually becoming a generic platform for subsequent purposes. For example, seized bots can be rented as custom secondary stages. This is a very important development.

As another researchers at the same area Ioannis Profetis talks about some changes in the current version of Hajime [5] in a recent blog post. There are comments that Hajime actually protects the infected system from being infected by other malware, along with changes such as the switch to Wget for downloads and the blocking of access to some ports, especially the telnet in the system that was infected after infection. Insomuch that, it was reported that it was a defensive system that protects the systems which written by gray hat hackers. [6]

I’m not agree with the gray hat hackers comments about hajime. The fact that closing the relevant ports may mean that Hajime’s purpose is this, as well as the inability to accept someone else in this place, that is, ownership. In addition, easily changeable secondary stage files are preparing a platform which can be used for DDoS and similar attacks in the future. In fact, the use of Bittorrent infrastructure in the first design is also pointing to this point.

Hajime is not the only one in attack approach to block these attacks. Brickerbot harmful application which is discovered recently makes IoT devices inoperable not to be infected. You may want to look at the “ruthless” command lines about how it makes inoperable this devices. [7]

In the meantime, it is also interesting that Hajime name which is given by first researchers to it is accepted by the writers of Hajime in the current versions and that they express themselves in this way. Hajime has reached to 300.000 devices currently.

If you are reading this post as an end user, do not leave pre-defined passwords for the devices like modem, camera, dvr etc. And turn off the telnet and ssh access ports if they not needed.

If you are a technical researcher, the following links will attract your interest. You may also be interested with the writing about how Brian Krebs traces the author of Mirai [8].

If you are an enterprise, consider deploying Layer7 DDoS protection measures.

  1. https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
  2. http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/
  3. https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html
  4. https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf
  5. https://x86.re/blog/hajime-a-follow-up/
  6. https://arstechnica.com/security/2017/04/vigilante-botnet-infects-iot-devices-before-blackhats-can-hijack-them/?comments=1
  7. https://www.bleepingcomputer.com/news/security/new-malware-intentionally-bricks-iot-devices/
  8. https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/

HARPP DDoS Mitigator is listed as one of the “Key Innovators” in MarketsandMarkets’ DDoS Protection and Mitigation Market – Forecast to 2021 Report.

Posted by:

The research report, segments the DDoS protection market by Component (Solution, and Service), Application Area (Network, Application, Database, and Endpoint), Deployment Mode, Organization Size, Vertical, and Region.

Labris Networks is listed as one of Key Innovators in the 15th chapter of the report with its AI (Artifical Intelligence) based L7, CPE DDoS Mitigation product line and integrated SOC and CERT services.Labris Networks is the game changer player in the market with its technology and business model innovations.

About MarketsandMarkets:
MarketsandMarkets is the largest market research firm worldwide in terms of premium market research reports published annually. Serving 1,700 Fortune organizations globally with more than 1200 premium studies in a year, MarketsandMarkets caters to multitude of clients across 12 different industry verticals.

Author Details:
Shreyas Waikar
Industry Analyst, Information Security at MarketsandMarkets

Additional information is reachable from the report’s page.

Harpp DDoS Mitigator Markets&Markets Key Innovator Forecast 2021