This content is part of the Essential Guide: How the Mirai botnet changed IoT security and DDoS defense

Hajime malware: How does it differ from the Mirai worm?

Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime differs from Mirai.

Rapidity Networks researchers discovered a new internet of things worm they called Hajime, which they captured in honeypots set up to study the Mirai malware. Hajime malware has some similarities to Mirai, such as the ability to scan the internet for devices running the Telnet service. How does the Hajime malware spread, and how is it different than the Mirai botnet?

Most types of malware have similarities, but implementation details may differ widely. If different types of malware have similar targets, then it is likely there will be more similarities in the malware.

Internet of things (IoT) devices may be very diverse in functionality, but the IT aspects are very similar because people want to be able to control or access the devices from their smartphones and computers, and for many reasons. These IT aspects are a huge component of the security challenge, as using insecure shared libraries and software development environments can result in many of the same security vulnerabilities, such as default accounts with weak passwords.

The Rapidity Networks Security Research Group speculated the Hajime malware would be used like the Mirai botnet in distributed denial-of-service attacks, but only the first two stages of the attack were observed.

Hajime identifies systems to infect by scanning the internet for systems running Telnet on Port 23 TCP, and then tries to log in with default accounts and passwords. Once logged in, the worm inspects the local system to determine what malware to upload in order to take control of the device. Once Hajime malware takes control of the system, it uses a peer-to-peer connection for the command-and-control infrastructure.

Hajime malware and the Mirai worm have very similar attack patterns, but the Hajime scanning logic appears to be taken from qBot.

Rapidity Network researchers reported Hajime started scanning a couple of days before Mirai, uses a different login sequence and uses more advanced methods to determine what malware to run on the target system. Enterprises should be aware that there are two distinct threats, and should plan accordingly to defend against and mitigate them.

Next Steps

Find out three steps to harden IoT devices in your enterprise

Discover how to prevent your IoT devices from being infected by malware

Learn about the vulnerabilities in St. Jude Medical's IoT medical devices

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing