Woburn, MA – April 25, 2017 – Kaspersky Lab has published the results of its investigation into the activity of Hajime, an Internet of Things (IoT) malware that is building an enormous peer-to-peer botnet. Although the end goal remains unknown, the botnet has been propagating extensively, currently including almost 300,000 malware-compromised devices that can be used at the malware author’s disposal, without the victim’s knowledge.
Hajime, meaning ‘beginning’ in Japanese, showed first signs of activity in October 2016. As an advanced and stealthy family, it uses different techniques – mainly brute-force attacks on device passwords – to infect devices, and then takes a number of steps to conceal itself from the compromised victim.
Since its inception, Hajime has been developing new propagation techniques. There is no attacking code or capability within the malware, only a propagation module. As it takes over IoT devices, it makes them part of its peer-to-peer botnet, which is a decentralized group of compromised machines discreetly performing spam or DDoS attacks.
According to Kaspersky Lab researchers, Hajime does not exclusively attack a specific type of device, but rather any device on the internet. Nevertheless, malware authors are focusing their activities on certain devices, including Digital Video Recorders, web cameras and routers. However, Hajime avoids several networks, including those of General Electric, Hewlett-Packard, the US Postal Service, the United States Department of Defense, and a number of private networks.
Infections had primarily come from Vietnam (over 20%), Taiwan (almost 13%) and Brazil (around 9%) at the time of research. Most of the compromised devices are located in Iran, Vietnam and Brazil. Throughout the research period, Kaspersky Lab revealed at least 297,499 unique devices sharing the Hajime configuration.
“The most intriguing thing about Hajime is its purpose,” said Konstantin Zykov, senior security researcher, Kaspersky Lab. “While the botnet is getting bigger and bigger, its objective remains unknown. We have not seen its traces in any type of attack or additional malicious activity. Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force, and to update their firmware if possible.”
To learn more about Hajime botnet, read the blog post available at Securelist.com.