A botnet discovered late last year has ballooned in size in the past few weeks, but it's left security researchers confused -- if not somewhat unnerved -- as to what it does.
The malware, dubbed Hajime, was found in October last year, around the same time as the notorious and now-infamous Mirai botnet was used in a cyberattack to bring down vast swathes of the US internet offline by overloading servers with traffic.
The Hajime botnet has so far infected 300,000 internet-connected devices since its inception, bringing digital video recorders, webcams, and routers under its control -- though it's careful not to target several specific networks, including the US Dept. of Defense. Like Mirai, the malware attacks devices that have weak or default usernames and passwords -- all too often it's "admin" or "root," says recent research -- which makes it easy to break in and run commands.
What the Hajime malware does differently though is remove certain firewall ports and open up several other ports to build a peer-to-peer command and control structure.
But there's a catch. Nobody's quite sure what the botnet is for, or who's behind it.
"The most intriguing thing about Hajime is its purpose," said security researchers at Kaspersky in a blog post Tuesday, adding that its purpose "remains unknown."
"We haven't seen it being used in any type of attack or malicious activity," the researchers said.
So far researchers seem to be mixed on the motives and reasoning behind the botnet, but aren't set on ruling anything out. All signs are pointing to a possible white-hat hacker, who has taken it upon themselves to "secure some systems," according to a note left on each system that the botnet infects.
But any botnet -- even the ones born from good intentions -- can be used for malicious purposes, either by the botnet owner or if it were hijacked.
A map showing the geographic sources of Hajime infection. (Image: Radware)
Radware researchers said Wednesday in a threat advisory seen by ZDNet that the botnet's "flexible and extensible nature" could be used for malicious reasons, like carrying out a distributed denial-of-service attack, spreading malware, or conducting massive surveillance of real-time streams from webcams. The malware could also be triggered to instantly brick the infected devices at the command of the author, as seen recently with the so-called BrickerBot malware.
The researchers also say that a recently-patched vulnerability in Hajime could have allowed a hacker to take control of the botnet.
"Such a large botnet with such flexibility will attract the attention of competing hackers, so I consider it a possibility that Hajime will be targeted by competing hackers who might try to break the command and control and take over the commands of the botnet, pretty much hijacking the botnet and using it for malicious purposes," said Pascal Geenens, Radware cybersecurity evangelist.
"The vulnerability has been closed by the malware author, but it proves that malware can contain vulnerabilities," he added.
Researchers are keeping a close eye to find out more.
"It seems Hajime is still under the control of its original author -- so I hope -- and mostly we are considering his intentions to be good," said Geenens. "I wonder why this white knight keeps growing his botnet and keeps the devices hostage -- searching and scanning aggressively for the next potential victim," he added.
But with hundreds of thousands of devices already caught in Hajime's web -- and growing, it's not likely the security community is going to take its eye off the ball any time soon.