A mysterious evolving Internet of Things (IoT) malware that builds a huge peer-to-peer botnet has been propagating extensively, infecting multiple devices worldwide.
To date, the network includes almost 300 000 malware-compromised devices, ready to work together, to perform the malware author’s instructions without their victims’ knowledge.
Still, Hajime’s real purpose remains unknown as Kaspersky Lab found in an investigation into the malware.
Hajime, meaning “beginning” in Japanese, showed its first signs of activity in October 2016. Since then, it has been evolving, developing new propagation techniques.
However, there is no attacking code or capability in Hajime – only a propagation module. Hajime, an advanced and stealthy family, uses different techniques – mainly brute-force attacks on device passwords – to infect devices, and then takes a number of steps to conceal itself from the compromised victim. Thus, the device becomes part of the botnet.
Hajime does not exclusively attack a specific type of device, but rather any device on the Internet. Nevertheless, malware authors are focusing their activities on some devices. Most of the targets have turned out to be Digital Video Recorders, followed by web-cameras and routers.
According to Kaspersky Lab researchers however, Hajime avoids several networks, including those of General Electric, Hewlett-Packard, the US Postal Service, the US Department of Defense, and a number of private networks.
Infections had primarily come from Vietnam (over 20%), Taiwan (almost 13%) and Brazil (around 9%) at the time of research.
Most of the compromised devices are located in Iran, Vietnam and Brazil.
Overall, throughout the research period, Kaspersky Lab revealed at least 297 499 unique devices sharing the Hajime configuration.
“The most intriguing thing about Hajime is its purpose,” says Konstantin Zykov, senior security researcher at Kaspersky Lab. “While the botnet is getting bigger and bigger, its objective remains unknown.
“We have not seen its traces in any type of attack or additional malicious activity.. Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force, and to update their firmware if possible.”