Site icon IT World Canada

A mysterious IoT botnet, and what network admins can do to lower the odds of infection

danger sign, IT risks, security, malware, hackers

Image from Shutterstock Shutterstock.com

It’s not very often that infosec pros get a warning of an threat on the horizon, but a news report this week suggests more attention be paid to an Internet of Things-based  botnet discovered last fall which hasn’t yet been activated to do harm but whose creators could be looking for a target.

Dubbed Hajime (the word for beginning, in Japanese) by Rapidity Networks, which first reported on it last October, it is estimated to have infected 100,000 poorly secured IoT devices including digital video cameras, DVRs and routers. However, its code specifically searches for devices powered by ARM processors.

Who created it and what it will be used for — if anything — is a question. But researchers warn it has the power of the Mirai botnet which last year pushed a record 620 Gbps distributed denial-of-service (“DDoS”) attack against cyber reporter Brian Krebs.

According to Rapidity Networks, Hajime is a worm which spreads by scanning the public Internet for devices running Telnet servers with insecure default credentials. “What makes Hajime unique,” the company says, “is that it does not rely on centralized malware distribution server(s), but instead communicates over a distributed/decentralized overlay network to receive configuration and software updates.”

It compromises devices by trying several username and password combinations from its hardcoded list of credentials. If it gains entry infects the devices with a small, short-lived file-transfer program which connects back to the attacking node and copies down a much larger download program. The download program–the second stage–joins a peer-to-peer decentralized network and retrieves its configuration and a scanning program. The scanning program searches the public internet for more vulnerable systems to infect.

“Hajime is much, much more advanced than Mirai,” an expert is quoted by CSO Online. “It has a more effective way to do command and control.”

What — if anything — will this botnet be used for? Possibilities include launching extortion distributed denial of service (DDoS) attacks, be used for financial fraud, gather information as a research project. Rapidity Networks suspects the authors want it to be confused with the Mirai botnet. It also assumes the botnet will be weaponized.

What network admins can do, Rapidity Networks says, is scanning their infrastructure for unknown services, especially Telnet, to ensure that their networks are secure against attacks of this nature. To stop Hajime specifically Block UDP packets containing P2P traffic, block TCP connections containing attack traffic (the string  “/bin/busybox ECCHI”), and consider blocking TCP port 4636, which the worm uses for communications.

Also this week IBM blogger Scott Koegler offers this advice to network admins to ensure devices on their networks aren’t turned into IoT slaves:

Exit mobile version