Hajime, a piece of Internet of Things (IoT) malware that emerged in October 2016, has already ensnared roughly 300,000 devices in a botnet, Kaspersky Lab researchers say.
The malware emerged around the same time the infamous Mirai botnet started making the rounds, and is targeting the same devices that this threat does, but without using them to launch distributed denial of service (DDoS) attacks. Instead, it simply closes some ports to keep the infected devices away from Mirai and similar threats.
Called Hajime to keep the naming scheme in line with Mirai (they mean “beginning” and “future” in Japanese, respectively), the worm managed to build a peer-to-peer (P2P) botnet, but researchers aren’t sure about its purpose right now. Symantec said recently that a white hat hacker could have created the malware, but suggested that the botnet could be easily repurposed for nefarious operations.
What’s certain, however, is that Hajime’s author continues to update the code, as recently made changes were seen in the attack module. At the moment, the worm supports three different attack methods: TR-069 exploitation, Telnet default password attack, and Arris cable modem password of the day attack. The TR-069 exploit was implemented only recently, Kaspersky reveals.
TR-069 (Technical Report 069), a standard published by the Broadband Forum, is used by ISPs to manage modems remotely via TCP port 7547 (some devices use port 5555). By abusing the TR-069 NewNTPServer feature, attackers can execute arbitrary commands on vulnerable devices. Late last year, the TR-069 attack was used to crash nearly 1 million modems from Deutsche Telekom.
According to Kaspersky, Hajime attacks any device on the Internet with the exception of several networks, and its author recently improved the architecture detection logic. Thus, after passing the authentication stage, the malware reads the first 52 bytes of the victim’s echo binary (information about architecture and operating system is in the first 20 bytes), and then compares the echo ELF header against a predefined array, so as to fetch the correct Hajime-downloader binary.
On the other hand, despite Hajime being able to attack any device, the authors focused on some specific brands/devices, as the worm uses only specific username-password combinations to brute-force its way into vulnerable devices. The threat uses one combination or the other based on words contained in the welcome message when opening a telnet session.
source: securityweek