Last November, a software engineer named Leo Linsky open-sourced an anti-worm “nematode” to combat Mirai, the malware behind the IoT security debacle that took down Dyn.
That code, however, is no longer publicly available as nematodes are essentially “do-good” computer viruses that parallel the cybersecurity equivalent of vigilante justice. Not only do nematodes violate personal privacy, they pose a security concern themselves and could face the same fate as Welchia worms, which caused major problems back in 2004 when they sought to counteract the Blaster worm.
This week, new reports surfaced that Hajime worm has infected more than 300K devices. Discovered back in October of 2016, Hajime is believed to be the work of a white-hat hacker to combat the Mirai botnet. But as with the case with nematodes, is Hajime — and more generally cyber vigilante — problematic or a sufficient solution to the IoT industry’s negligence on security?
Mirai vs. Hajime Worm
Before we delve into the differences, if you need a quick refresher on the Mirai attack last year, see our previous report on the Mirai Botnet Army. To summarize, Mirai exploits insecure IoT devices with default credentials or out-of-date firmware to send HTTP requests to a hardcoded list of IP addresses from its command and control server. This allowed Mirai to turn thousands of devices into its army for a DDoS attack.
Hajime, on the other hand, uses BitTorrent 2.0 to build out a peer-to-peer botnet. Unlike Mirai, Hajime has no single central command and control server, rendering it very hard to eliminate. An update to one node on its network will quickly propagate to all of its nodes.
The curious thing about Hajime is that the worm sits mostly idle on the devices it infects — for now. Other than continually searching for other insecure devices and propagating the worm, it simply blocks some ports (23, 7547, 5555, 5358) Mirai has used to launch its DDoS attacks. Every 10 minutes or so, the worm also prints out the following message to its terminal:
Just a white hat, securing some systems.
Important messages will be signed like this!
Considering the fact that Hajime means “beginning” in Japanese (Mirai means “future”), combined with the author’s message and its current behavior, security experts believe that the worm is mostly the work of an unknown white hat hacker.
Reasons for Concern
Just because the worm isn’t currently abused like Mirai doesn’t mean that relying on the benevolence of a vigilante is safe. Hajime is constantly looking for more devices to infect and recent updates to its code allow it to attack default Telnet passwords via TR-069 security flaws.
Since Hajime prevents others from taking control of the device after it’s infected, if this white hat hacker decides to upload DDoS capabilities, there would be little device owners and security firms could do to stop the attack.
Another problem with “white worms” such as Hajime is that the fix is often temporary. Because Hajime cannot update the firmware, if the device is rebooted, it would go back to its unsecured state, making it vulnerable to Mirai and other similar attacks. For readers concerned with their own IoT devices, check out Symantec Corporation’s guide to guard against the attack.
This brings me to the final scene in Christopher Nolan’s The Dark Knight:
Towards the end, Batman flees the scene and Gordon’s son asks “Why is he running, Dad?” Gordon gives an enigmatic reply: “Because we have to chase him. He’s the hero Gotham deserves, but not the one it needs right now. So, we’ll hunt him, because he can take it. Because he’s not our hero.”
Just as Batman and his vigilantism was simultaneously important and inherently problematic for Gotham, Hajime and white worms may be both what we need and cannot accept for an insecure IoT ecosystem.