Hajime IoT Malware and DDoS

Posted by: oguz

In the second half of last year, the Mirai (Japanese “Future”) harmful application showed itself with a DYN DDoS attack was done by using exploited devices which can be grouped under the IoT generalization, such as router, modem, camera, dvr, nvr, etc. Mirai application uses the security vulnerabilities comes from very old and weak versions of Linux, which is base operating system on these devices, and/or unchanged default username/password settings on these devices to take control of these devices. On September 22, 2016, Mirai used to attack to Brian Krebs’s blog with reaching 620 Gbps [1] bandwidth and on October 21, 2016, another attack was made to DYN that reached the size of 1.2 Tbps [2] by Mirai. Mirai’s code was published in hackforums on September 30, 2016 by someone who introduced himself as Anna Senpai. When the details were examined, Mirai’s DDoS capabilities seemed clear.

After the release of the code, it showed another harmful side. In the work of Rapidity SRG dated 16 October 2016 [4], they are clearly describing a harmful example that we can say it more innovative. This harm ( Hajime, “start” in Japanese) was spreading through telnet ports on IoT devices like Mirai’s propagation method. But after infection, it uses BitTorrent DHT to find the second stage (stage2) files and to get that files BitTorrent uTP . Hajime distributes the secondary stage code easily by this way. In addition, with the provision of such a flexible secondary stage code, this new harmful is actually becoming a generic platform for subsequent purposes. For example, seized bots can be rented as custom secondary stages. This is a very important development.

As another researchers at the same area Ioannis Profetis talks about some changes in the current version of Hajime [5] in a recent blog post. There are comments that Hajime actually protects the infected system from being infected by other malware, along with changes such as the switch to Wget for downloads and the blocking of access to some ports, especially the telnet in the system that was infected after infection. Insomuch that, it was reported that it was a defensive system that protects the systems which written by gray hat hackers. [6]

I’m not agree with the gray hat hackers comments about hajime. The fact that closing the relevant ports may mean that Hajime’s purpose is this, as well as the inability to accept someone else in this place, that is, ownership. In addition, easily changeable secondary stage files are preparing a platform which can be used for DDoS and similar attacks in the future. In fact, the use of Bittorrent infrastructure in the first design is also pointing to this point.

Hajime is not the only one in attack approach to block these attacks. Brickerbot harmful application which is discovered recently makes IoT devices inoperable not to be infected. You may want to look at the “ruthless” command lines about how it makes inoperable this devices. [7]

In the meantime, it is also interesting that Hajime name which is given by first researchers to it is accepted by the writers of Hajime in the current versions and that they express themselves in this way. Hajime has reached to 300.000 devices currently.

If you are reading this post as an end user, do not leave pre-defined passwords for the devices like modem, camera, dvr etc. And turn off the telnet and ssh access ports if they not needed.

If you are a technical researcher, the following links will attract your interest. You may also be interested with the writing about how Brian Krebs traces the author of Mirai [8].

If you are an enterprise, consider deploying Layer7 DDoS protection measures.

26
APR

Blog

Hajime IoT Malware and DDoS