White-hat Botnet Infects, Then Secures IoT Devices

[Symantec] Reports Hajime seems to be a white hat worm that spreads over telnet in order to secure IoT devices instead of actually doing anything malicious.

[Brian Benchoff] wrote a great article about the Hajime Worm just as the story broke when first discovered back in October last year. At the time, it looked like the beginnings of a malicious IoT botnet out to cause some DDoS trouble. In a crazy turn of events, it now seems that the worm is actually securing devices affected by another major IoT botnet, dubbed Mirai, which has been launching DDoS attacks. More recently a new Mirai variant has been launching application-layer attacks since it’s source code was uploaded to a GitHub account and adapted.

Hajime is a much more complex botnet than Mirai as it is controlled through peer-to-peer propagating commands through infected devices, whilst the latter uses hard-coded addresses for the command and control of the botnet. Hajime can also cloak its self better, managing to hide its self from running processes and hide its files from the device.

The author can open a shell script to any infected machine in the network at any time, and the code is modular, so new capabilities can be added on the fly. It is apparent from the code that a fair amount of development time went into designing this worm.

So where is this all going? So far this is beginning to look like a cyber battle of Good vs Evil. Or it’s a turf war between rival cyber-mafias. Only time will tell.

32 thoughts on “White-hat Botnet Infects, Then Secures IoT Devices

  1. There is no hat.
    People “secure” devices as they infect usually for sole control of the bot net.
    The lack of payload does not make them morally enlightened.

    Most of the the time people who identify as “Security experts” are just uncreative sociopaths looking for adoration by the naive.

    Maybe auto-install BSD over Windows 10 as a forced update would eliminate most issues.

    1. There’s a one-line fix for that: s/”?[Ss]ecurity [Ee]xperts”?/DISGUISED HACKERS \(probably malicious\)/
      It even works with capital letters, though it can’t tell if said security experts are actually malicious.

    1. LOL, saw this article’s news over at N-O-D-E.net just yesterday, Dead-drop 15.

      Presumably someone with good intentions…. Still interesting to see how this pans out.

        1. Yeh, I hax0r’d myself by closing the new tap and CTRL+L, CTRL+V,RTN -ing the already loaded tab, the browser just kept stale data, LOL. I was supposed to paste in the new tab.

          Not as bad as my brother:
          Back at the end of XP era (the extended era, not the current POSReady era) I had set a few things tighter on my firewall settings, and some tweaks. My brother uses some downloaded Metasploit-like package for windows on his laptop. He tried to send a remotely requested shutdown to my laptop… however I already long beforehand found out how to configure an echo-back setting of some kind on all things blocked, Something like that as far as I can remember about XP’s firewall settings. Needless to say the request was echoed back to his PC and his PC shut itself down.

    1. No-one “deserves” to be hacked.

      You don’t have to be a moron to buy a an internet router with a firewall built in, change the password like your computer savvy brother in law told you, then bought a webcam and hooked it up in your house. Didn’t change the password on that because it is behind the firewall. Makes perfect sense until you learn about UPnP, which happens to be enabled by default on a large number of routers and cameras.

    1. Future versions of this botnet will show “This device is insecure. Do you want it to self-destruct?” in the configuration page, with a big “YES” button and a small text saying “Not clicking YES in 60 seconds will automatically brick the device and overheat the CPU”. So it will be done with both consent and knowledge.

    2. White hat in the sense of morals, then yes. White hat as defined in profession? No. White Hat and Black hat in those terms requires money, and this would then be termed Grey Hat.

  2. The devices need to be configured to DoS the people who sold it (eternally) and then be secured so the changes cannot be undone. This is the only way they will learn to secure their devices.

    1. sad thing is that DoS-ing someone hurts more for the middlemen. there is no protection from crap of this magnitude generated by iot gear, so even if the proposed stream hits the intended target, the collateral would be way to much. it could potentially wipe off their ISP too, and all its customers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s