It’s been dubbed the “vigilante IoT worm” because it blocks rival botnets.
Kapersky Lab has released a new report about the Hajime botnet, built on a mysterious type of malware that researchers have dubbed a “vigilante IoT worm” due to its habit of blocking rival botnets.
According to the report, Hajime has compromised over 300,000 IoT devices. It is a competitor of Mirai, both of which are jostling for control of unsecure IoT products like routers, security cameras and DVRs, and it’s causing growing concern in the security community.
Researchers aren’t sure what quite to make of the botnet. It doesn’t rely on a command or control server, and exploits factory default usernames and passwords to force its way into devices with open telnet ports. Once it infects a device or network, it doesn’t cause any damage. Instead it actually does something good by blocking ports that could be used for malicious purposes, and leaves this message behind:
“Just a white hat, securing some systems.
Important messages will be signed like this!
Hajime Author.
Contact CLOSED
Stay sharp!”
Researchers say the botnet also has a preprogrammed list of networks to avoid including Hewllet-Packard, GE, the US Department of Defense and the US Postal Service. The source of the majority of infections is Vietnam (20%), Taiwan (13%) and Brazil (9%).
“The most intriguing thing about Hajime is its purpose. While the botnet is getting bigger and bigger, its objective remains unknown. We have not seen its traces in any type of attack or additional malicious activity. Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force, and to update their firmware if possible,” said Konstantin Zykov, senior security researcher at Kaspersky Lab.
Kapersky strongly urges owners of IoT devices to change the default username and password and disable remote access.