An IoT malware strain named Hajime is found in the last October and it appears to be work of a vigilante who is set out to take over and then neutralise as many smart devices as he can before any other botnet hunters like Mirai can attack them.
While this Hajime was first observed last year, it became apparent recently to the researchers that the maker of this malware had no evil intentions about using the infected devices.
When it was found last October, Hajime only has a self-replication module which allowed it to spread from an IoT device to another IoT device using open and unsecured Telnet ports.
Since then, the researchers didn’t spot a single DDoS module but that was not something noteworthy, as they have just discovered this new threat, and they consider Hajime as an in-dev malware, one that can add DDoS capabilities once it becomes mature.
Hajime becomes mature but never adds a DDoS module
That maturation did not take place, or at least not in the way the researchers have expected.
The initial Rapidity Networks report that unveiled Hajime’s presence to the world also detailed some bugs.
The author of the malware didn’t add a DDoS feature, he didn’t use his botnet to relay some malicious traffic or any other intrusive operation.
Hajime used to secure IoT devices
After that, the Hajime also contacts its C&C server and returns a cryptographically-signed message once every ten minutes. The message, which is displayed on the device’s terminal, is:
Just a white hat, securing some systems.
Important messages will be signed like this!