Hajime, Yet Another IoT Botnet

Following on the heels of Mirai, a family of malware exploiting Internet of Things devices, [Sam Edwards] and [Ioannis Profetis] of Rapidity Networks have discovered a malicious Internet worm dubbed Hajime which targets Internet of Things devices.

Around the beginning of October, news of an IoT botnet came forward, turning IP webcams around the world into a DDoS machine. Rapidity Networks took an interest in this worm, and set out a few honeypots in the hopes of discovering what makes it tick.

Looking closely at the data, there was evidence of a second botnet that was significantly more sophisticated. Right now, they’re calling this worm Hajime.

The Hajime worm affects Internet of Things devices running BusyBox, a Unix-ey thing popular in embedded and Internet of Things systems.  The Hajime worm propagates itself through port 23 – Telnet – via usernames and password combinations hardcoded into a list of credentials.

Right now, the extent of the Hajime worm is small. It appears the author is still in the propagation phase of his botnet. According to Rapidity Networks, the author is building out the botnet before deploying more advanced payloads. Like the previous IoT worm, Hajime could easily be used for a DDoS attack, or by selling ‘deployment services’ to future botnets.

Millions of Internet of Things devices have been sold with Telnet open and hardcoded credentials. The fact that devices like this exist makes IoT botnets inevitable. This isn’t the first botnet or worm directed at IoT devices capable of deploying payloads or killing servers. Until IoT device manufacturers get their act together, it won’t be the last, either.

31 thoughts on “Hajime, Yet Another IoT Botnet

  1. Jeebus, are they using a 2 decade old text on internet security that says something like “It’s okay to use a hardcoded password with at least 6 letters because a hacker with an apple ][ will only be able to brute force it over a modem link in upwards of 500 days.”

    1. The usual method is get it working and add security later on. But once it is in any way half working the product is shipped. Get the faulty version out the door and the money in. And if it is broken badly enough it will force people to buy version 2.0, which is great news for marketing. Version 2.0 will have the same hardcoded username and password but will use ssh instead of telnet. Time for version 3.0, ssh, same hard coded username, but the password was changed. ……

  2. It’s all a big game really.

    I make something useful and you try and make use of it for something else.

    I just wonder what they will do with my internet connected toilet seat.

    1. Exactly my thought.

      At first, like Aaa, I thought along regulatory lines. But slowly I realize that most IoT companies are high-risk things which probably don’t exist at the moment the “thing” is unleashed upon us.

      By now I only see a chance in “vigilante” botnets. Whenever a vulnerability is known, make a bot which *puts the device out right away* (well, may be after it has propagated four or five times).

      This way, the stupid devices will stop working shortly after they’ve been bought: they get a bad rap and nobody buys them.

    2. That is always an option, for a state actor, they have the legal right to act offensively if it serves their mission to protect local infrastructure.

      So does this worm leave the door open or slam it shut after taking control?

  3. There should be requirement (enforced by CE certification rules or something like that) that firmware upgrade protocols and firmware images (not necessarily source code) should be publicly available and user-patchable. If some part of device is part of botnet – there should be a chance for patching it. If you can’t patch a certified device – producer AND DISTRIBUTOR are both responsible for losses and damages. And after some warnings – also the user.

  4. Swann Security in Australia should be indicted for how many vulnerable IoT security camera systems they have knowingly sold to their customers.

    They took chinese crap, translated it to english and sold it at at least 400% markup to gullible average Australians.

    1. So who owns them (or the actual company that is really liable in a legal sense), probably a Chinese company that links back to the Chinese government who would claim sovereign immunity even if you did win a legal case against them. If you want the option to be able to hold a vendor legally liable for their products then don’t deal with Chinese companies, or any other state owned companies for that matter, from any country.

  5. Just a question.

    Why is the port 23 open on so many internet connections.
    I mean if i got a camera i will only open port 80 or better another higer one so nobody would find is on the normal search, but why port 23.

    Jusrt currios

        1. because they were TRICKED into doing so by the product manual when they should have returned it because it told them to go get hacked by opening up port 23…

          if it’s open for the camera then it’s open for all other computers, unless you set up a special “zone” for your camera but if you know how to do that then you would probably not trust the device anyway.

          port23 is used for telnet, if you dont know what telnet is and if your user manual is specifying to open it in your router but NOT asking you to install and run telnet (and type stuff into it), then suspect the intentions of anyone and everyone that had access to the user manual before printing.

          although it is technically possible to use telnet protocol for a GUI app, it is highly inefficient (and highly unsecure). telnet is from before internet, the full meaning of TelNet is TelephoneNetwork ie dial-up. im sure modern telnet is slightly more secure but seriously computers dont like to converse in HUMAN-language, it’s just extra data to convert and push that results is a smile on the face of anyone wishing to do harm. it just doesnt get any easier then spying on an internet datastream that litterally screams human things like PASSWORD=161021cherry instead of some binary+hash. telnet is not for people that dont know how to use it safely.

          in case anyone did not get what i was trying to explain; if a remote-control app requires port23 then you got ripped off. according to the patent rules of earth, this device is not patentable because it does not include anything unique that did not exist before in all the competitors and any mention of patents are pure lies and they should not be trusted or funded, get a refund while you still can.

  6. I disabled upnp long ago because I was afraid of this very thing, and had cameras that kept opening a bunch of ports to the world.

    Yes it causes a few minor annoyances setting up things like voip but my cameras are secure behind the firewall and arent contributing to this hilarity.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s