Hajime Botnet Malware Observed Infecting 300,000 Unsecure IoT Devices

Manufacturers fail to eradicate simple security flaws in network-connected devices, allowing attackers to infect hundreds of thousands with malware that turn them into botnet nodes.

Zbot botnet

Over the past six months, a botnet known as Hajime has successfully infected more than 300,000 Internet-of-Things devices, in a sign that manufacturers continue to fail to secure their  network-connected devices, according to an analysis published by security firm Kaspersky Lab on April 25.

The botnet mainly uses two methods of attack that focus on the brute-force guessing of passwords or exploiting the use of a default password, Igor Soumenkov, principal security researcher at Kaspersky Lab, told eWEEK. For example, one module focuses on the Arris cable modem and uses a password-of-the-day algorithm to login to devices that have the capability activated. The vulnerability has been known since 2009, according to Kaspersky Lab.

“What is surprising is that the simplest methods—such as brute forcing the password—still work and they are effective at infecting,” Soumenkov said. “A lot of devices use preset passwords that no one changes, and a lot of times the user cannot even modify the password.“

Hajime, which means “beginning” in Japanese, is a global botnet. While the botnet has focused on finding devices with weak passwords, the programmer, or programmers, behind the malware continue to improve on its design as well. Most recently, the developers added the ability to exploit a protocol used by Internet service providers to remotely manage devices, Kaspersky Lab stated in its analysis.

The botnet has successfully compromised devices around the globe. About half of the infected devices appear to be operating in five different countries: Iran, Brazil, Vietnam, the Russian Federation and Turkey. The lion’s share of the devices appear to be digital video recorders and Internet-connected video systems, Soumenkov said.

“Most of these are cameras and DVRs, or video-security cameras and the servers used to help with recording to the video cameras,” he said. The makers of such systems have historically given short shrift to security, he added. “Most of these devices are produced by a limited number of vendors and they are easy to exploit.”

All the devices targeted by the botnet run some form of Linux or embedded Linux, Soumenkov said. The malware will attempt to detect the specific type of device before trying its telnet exploit, but otherwise does not discriminate, according to Kaspersky Lab’s analysis.

“The malware authors are mainly reliant on very low levels of security,” the researchers stated.

The botnet is unrelated to the infamous Mirai botnet, which has been used to create denial-of-service attacks to overwhelm victims' networks with traffic. Last September, a massive attack effectively blocked access to a popular security blogger’s site and an internet service provider.

So far, the purpose of the botnet remains unclear, according to Kaspersky Lab. Unlike Mirai, Hajime botnet is not known to have been used in an attack.

“While the botnet is getting bigger and bigger, partly due to new exploitation modules, its purpose remains unknown,” the analysis stated. “We haven’t seen it being used in any type of attack or malicious activity.”

However, the author of the malware behind the botnet has apparently left a message behind on every infected device: “Just a white hat, securing some systems. Important messages will be signed like this! Hajime Author.”

So far, there seems to be no evidence that the person or group behind Hajime is securing the systems infected by the malware, Kaspersky said. “Whether the author’s message is true or not remains to be seen,” the analysis concluded.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...