Last week, Ars introduced readers to Hajime, the vigilante botnet that infects IoT devices before blackhats can hijack them. A technical analysis published Wednesday reveals for the first time just how much technical acumen went into designing and building the renegade network, which just may be the Internet's most advanced IoT botnet.
As previously reported, Hajime uses the same list of user name and password combinations used by Mirai, the IoT botnet that spawned several record-setting denial-of-service attacks last year. Once Hajime infects an Internet-connected camera, DVR, and other Internet-of-things device, the malware blocks access to four ports known to be the most widely used vectors for infecting IoT devices. It also displays a cryptographically signed message on infected device terminals that describes its creator as "just a white hat, securing some systems."
Not your father's IoT botnet
But unlike the bare-bones functionality found in Mirai, Hajime is a full-featured package that gives the botnet reliability, stealth, and reliance that's largely unparalleled in the IoT landscape. Wednesday's technical analysis, which was written by Pascal Geenens, a researcher at security firm Radware, makes clear that the unknown person or people behind Hajime invested plenty of time and talent.
One example: Hajime doesn't rashly cycle through a preset list of the most commonly used user name-password combinations when trying to hijack a vulnerable device. Instead, it parses information displayed on the login screen to identify the device manufacturer and then tries combinations the manufacturer uses by default. When attacking a MikroTik router, for instance, Hajime attempts to log in using the user name "admin" and an empty password. That's the factory-default combination, according to the MikroTik documentation. By reducing the number of invalid passwords entered into the login page, Hajime lowers the chances of being locked out or blacklisted.
Also, in stark contrast to Mirai and its blackhat botnet competitors, Hajime goes to great lengths to maintain resiliency. It uses a BitTorrent-based peer-to-peer network to issue commands and updates. It also encrypts node-to-node communications. The encryption and decentralized design make Hajime more resistant to takedowns by ISPs and Internet backbone providers. After researchers from Rapidity Networks in October uncovered a flaw in the encryption implemented in an earlier version of Hajime, a Hajime developer updated the botnet software to fix it.
Here is a full list of features:
- It changes the telnet brute force sequence of credentials depending on the platform it is trying to exploit
- It is capable of infecting ARRIS modems using the password-of-the-day “backdoor” with the default seed as outlined here
- During the infection process, it is able to detect the platform and work its way around missing download commands such as ‘wget’ through the use of a loader stub ‘.s’
- The loader stub is dynamically generated using hex encoded strings based on handcrafted assembly programs that are optimized for each supported platform. The IP address and port number of the loader are patched in the binary upon dynamically generating the loader stub
- The loader from which the malware is downloaded does not have to be the node that is performing the infection. Hajime has a way of detecting the reachability of the infecting device, and if its loader service port is not available from the Internet it will use another node from its network that is known to be reachable to download the initial malware binary
- It uses a trackerless torrent network for command and control (C2) message exchange
- It uses the torrent network to share and update itself and its extension module(s) to/from peers
- To minimize the required ports and TCP sockets, it uses the uTP BitTorrent protocol instead of just TCP in torrent transfers – uTP implements in-order delivery and reliable connectivity on top of UDP and only requires one single socket and UDP/port for all DHT and torrent communications
- All torrent exchanges are encrypted and signed using public and private keys
- The scan and load extension module has the capability to perform UPnP-IGD and punch pin-holes in gateway devices to expose any ports it requires making it effective also from inside the homes
The analysis is based on a collection of vulnerable devices or simulated devices Geenens maintained inside a special laboratory. During the five weeks that Geenens observed his honeypot, Hajime attempted almost 15,000 hijacks from more than 12,000 unique IP addresses scattered all over the world. For now, the greyhat Hajime is outstripping the blackhat IoT botnets in features, robustness, and possibly even the number of infected devices. It wouldn't be surprising, however, if new blackhat versions catch up in the next year or two.
"If Hajime is a glimpse into what the future of IoT botnets looks like, I certainly hope the IoT industry gets its act together and starts seriously considering securing existing and new products," Geenens wrote in a separate post. "If not, our connected hopes and futures might depend on ... grey hat vigilantes to purge the threat the hard way."