Following on the heels of Mirai, a family of malware exploiting Internet of Things devices, [Sam Edwards] and [Ioannis Profetis] of Rapidity Networks have discovered a malicious Internet worm dubbed Hajime which targets Internet of Things devices.
Around the beginning of October, news of an IoT botnet came forward, turning IP webcams around the world into a DDoS machine. Rapidity Networks took an interest in this worm, and set out a few honeypots in the hopes of discovering what makes it tick.
Looking closely at the data, there was evidence of a second botnet that was significantly more sophisticated. Right now, they’re calling this worm Hajime.
The Hajime worm affects Internet of Things devices running BusyBox, a Unix-ey thing popular in embedded and Internet of Things systems. The Hajime worm propagates itself through port 23 – Telnet – via usernames and password combinations hardcoded into a list of credentials.
Right now, the extent of the Hajime worm is small. It appears the author is still in the propagation phase of his botnet. According to Rapidity Networks, the author is building out the botnet before deploying more advanced payloads. Like the previous IoT worm, Hajime could easily be used for a DDoS attack, or by selling ‘deployment services’ to future botnets.
Millions of Internet of Things devices have been sold with Telnet open and hardcoded credentials. The fact that devices like this exist makes IoT botnets inevitable. This isn’t the first botnet or worm directed at IoT devices capable of deploying payloads or killing servers. Until IoT device manufacturers get their act together, it won’t be the last, either.