Kaspersky Lab published Tuesday results of its investigation into the activity of Hajime, an Internet of Things (IoT) malware that is building an enormous peer-to-peer botnet. Although the end goal remains unknown, the botnet has been propagating extensively, currently including almost 300,000 malware-compromised devices that can be used at the malware author’s disposal, without the victim’s knowledge.
Hajime, meaning ‘beginning’ in Japanese, showed first signs of activity in October 2016. As an advanced and stealthy family, it uses different techniques – mainly brute-force attacks on device passwords – to infect devices, and then takes a number of steps to conceal itself from the compromised victim. Hajime is continuously evolving, adding and removing features over time.
With the addition of the new attack vector, it would make sense to improve the architecture detection logic. This is because Hajime doesn’t attack any specific type of device, but rather any device on the Internet with the exception of several networks. This is exactly what they did, though strangely enough this only holds for the Telnet attack.
Once the attack successfully passes the authentication stage, the first 52 bytes of the victim’s echo binary are read. The first 20 bytes, which is the ELF header, hold information about the architecture, operating system and other fields. The victim’s echo ELF header is then compared against a predefined array, containing the Hajime stub downloader binaries for different architectures. This way the correct Hajime-downloader binary that works on the victim’s machine, can be uploaded from the attacker, which is actually the infected device that started the attack.
But before this, the host and port that the malware will be downloaded from needs to be set. The Hajime stub downloader binary has these values filled up with 0xCC bytes by default. To solve this, they are fixed on the fly right before connecting. Furthermore, the downloader needs to be patched with the WAN interface’s name. The attackers have a clever trick, where they ‘echo’ the binary to a file (“.s”), set the WAN interface name and then echo the last part of the binary.
Kaspersky’s honeypot registered 2,593 successful telnet Hajime attacks in 24 hours. 2,540 of them were from unique IP addresses, 949 hosts provided a payload and 528 had an active web server running at port 80/tcp. Throughout the research period, at least 15,888 unique infected boxes were revealed, though this number is not very accurate. All of them were seeding Hajime config.
Since its inception, Hajime has been developing new propagation techniques. There is no attacking code or capability within the malware, only a propagation module. As it takes over IoT devices, it makes them part of its peer-to-peer botnet, which is a decentralized group of compromised machines discreetly performing spam or DDoS attacks.
According to Kaspersky Lab researchers, Hajime does not exclusively attack a specific type of device, but rather any device on the internet. Nevertheless, malware authors are focusing their activities on certain devices, including Digital Video Recorders, web cameras and routers. However, Hajime avoids several networks, including those of General Electric, Hewlett-Packard, the US Postal Service, the United States Department of Defense, and a number of private networks.
Infections had primarily come from Vietnam (over 20 percent), Taiwan (almost 13 percent) and Brazil (around 9 percent) at the time of research. Most of the compromised devices are located in Iran, Vietnam and Brazil. Throughout the research period, Kaspersky Lab revealed at least 297,499 unique devices sharing the Hajime configuration.
“The most intriguing thing about Hajime is its purpose,” said Konstantin Zykov, senior security researcher, Kaspersky Lab. “While the botnet is getting bigger and bigger, its objective remains unknown. We have not seen its traces in any type of attack or additional malicious activity. Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force, and to update their firmware if possible.”