A battle is raging between the Hajime and Mirai malware for control and enslavement of IoT devices.
The Hajime malware has likely been created by gray hat hackers who are trying to gain control over IoT devices from other contenders like the infamous Mirai botnet.
Though there are many such malware contenders, two of them are unique, namely the Mirai botnet and the new malware called Hajime.
The Hajime malware was first noticed in October 2016.
Researchers noted that it was similar to Mirai, and spread through unsecured devices having an open Telnet port that makes use of a default password.
Another similarity is that the new malware makes use of the same combination of username and passwords, seen in Mirai, along with two additional ones.
The new malware has targeted and infected similar IoT products that is within Mirai’s scope.
Similar to Mirai, Hajime scans the web for cameras, routers, or DVRs having poor security.
The malware enslaves them and compromises them with the help of varying username and password combinations to infect them with its malicious programs.
Mirai On Steroids
However, the Hajime malware is far more resilient, according to the researchers.
It can be compared to a Mirai botnet on steroids.
It has been continuously spreading malware and has started forming a botnet, infecting around 100,000 devices all over the world.
The competing malware is more powerful, as it does not take commands from a controlling server in the way Mirai infected computers do.
Hajime communicates using a peer-to-peer networking system created using similar protocols to those that are used in BitTorrent.
This makes it less centralized and more difficult to tackle or stop as a network.
Hajime is advanced when compared to Mirai and is more effective in its execution of command and control.
Botnets are enslaved IoT devices and they can create quite an issue, as they are used for launching huge DDoS attacks, which could disrupt Internet services and bring down sites.
Earlier in October last year, the DDoS attack made from a Mirai botnet attacked Dyn, a DNS provider.
It was effectively overloaded and the Internet traffic all over the US was slowed down as a result.
The new Hajime malware was found at the same time when researchers were analyzing the activities of Mirai.
Mirai malware was a major threat to the Internet last year, making several DoS (denial-of-service) attacks.
However, Mirai is now facing a threat from Hajime, which might wipe out Mirai malware.
Though Hajime operates in a way similar to Mirai, the design offers it more resistance to ISPs being able to easily take it down.
Hajime is able to hide its running process and associated files.
This feature makes it challenging to detect in an infected system.
The new malware also seems to be stealthier when compared to Mirai, and it is capable of opening shell scripts to the infected IoT device any time.
It seems that the designer of the malware has spent a significant amount of time developing the worm.
Gray Hat Hacking
In addition, it seems that a gray hat hacking group has created the Hajime malware.
This is evident from the signed message continuously flashed every ten minutes on the terminals.
The message, which is supposedly from a Hajime author, is cryptographic and claims that it is a white hat worm that is intended at securing systems.
Another pointer that Hajime malware is a vigilante kind of project aimed at disrupting Mirai and other botnets is that its vectors used for attacking IoT devices are denied access.
It is secretly installing backdoors without permission for several thousands of IoT devices.
This is illegal in most regions in almost in every part of the world.
It is being called a gray hat project, and not a white hat project.
This is an inevitable result of IoT devices with poor security.
However, it is not yet known who is behind the new malware.
Hajime has not yet launched any DDoS attacks yet, but it has the scope of launching an attack similar to the ones Mirai has accomplished in the past.
Hajime malware has been rapidly spreading in the last few months, and Symantec has found more infections happening in Iran and Brazil.