Meet Hajime, The Worlds 1st “Ethical” BotNet

The quest to secure the Internet of Things (IoT) has fast become a top priority for Government officials and IT Professionals the world over. Late in 2016, the Federal Trade Commission even offered a $25,000 reward for the best possible solution leading the securement of the network, to which I advised the FTC to over-turn recent US encryption legislation and allow companies to secure devices as they are being produced off the assembly line – before they reach the open market.

What I did not consider at the time was that, regardless of the country these devices eventually wind up, the majority of devices on the IoT are actually produced, built and assembled by foreign companies – most in Asia.

No automatic alt text available.

Believe it or not, less than 24 hours after I sent them that message, the FTC proceeded to file an international lawsuit against D-Link, a Taiwanese company, for failing to secure the devices they produce, leaving their customers vulnerable to hacking. Despite this however, the FTC has yet to give me any reward money and haven’t even so much as sent me a “thank you” or publicly acknowledged my contribution to their lawsuit.

While security researchers and analysts such as myself are trying to go legitimate to help solve this problem, others aren’t nearly as patient and have started to take matters into their own hands. To this effect, one of the worlds newest BotNets has become known as “Hajami” and, like other BotNets which came before it, Hajami’s sole purpose to hijack as many devices as possible on the IoT network. Not to hijack them for personal exploitation mind you, but to infect them with malware which actually patches their vulnerabilities, securing them against hackers and other BotNets in the future.

The architect behind this BotNet is currently unknown, but the name “Hajami” is the Japanese word meaning “the Beginning.” Appropriate, considering this is the first BotNet of its kind. While the inventor is unknown, they have left a message behind for anyone curious enough to find it:

Just a white hat, securing some systems.

Important messages will be signed like this!

Hajime Author.

Contact CLOSED

Stay sharp!

However, in an article produced on April 18th 2017, Ars Technica’s Security Editor Dan Gooding points out, “the fact remains that what its designer is doing—surreptitiously installing a backdoor without permission on tens of thousands of devices—is both unethical and illegal in most jurisdictions around the world.” Essentially, despite good intentions, everything the BotNet does is still incredibly illegal. This is why Mr. Goodin and others reject the designers claim of being a “White-Hat” and instead consider them more of a “Grey-Hat.

It is important to point out that in his reporting on the matter, Mr. Goodin made a critical mistake that I would be remiss not correct. It appears as though Mr. Goodin had just learned about this BotNet for the first time this week, when he stated that “Hajime isn’t the first botnet to shows signs its mission is to take out poorly secured Internet devices. Two weeks ago, researchers uncovered IoT malware they dubbed BrickerBot. BrickerBot gets its name because it attempts to damage routers and other Internet-connected appliances so badly that they become effectively inoperable.

What Mr. Goodin doesn’t seem to know is that Hajime was first developed in September of 2016 and has been infecting devices ever since. As reported by Catalin Campanu of Softpedia News on October 18th 2016, “Security researchers have discovered a new IoT worm that appears to share behavior with the more popular Mirai IoT malware, but which is far more sophisticated than the latter.

The report goes on to indicate how researches actually “discovered Hajime while searching for Maria,” because as it turns out, Hajime is actually a modified version of Maria’s source code. Just 5 days before Hajami’s discovery, the source code for the Maria BotNet had been made open source and Hajami is just one example of what someone choose to do with it.

Softpedia goes on to explain that “Hajime spreads on its own via brute-force attacks…uses a three-stage infection system…is similar to many IoT malware families” and primarily “targets IP cameras, DVRs and CCTV systems.” According to their analysis, what makes Hajime different is that it “written in C, not Go (Rex), uses a P2P network, not a direct C&C server connection (Mirai), and works with a larger number of platforms, not just MIPS (NyaDrop). So at this stage, Hajime seems to have included the best parts of other IoT malware, and it is far more sophisticated than anything else seen targeting IoT devices today.

As of October 2016, security researchers couldn’t say for sure who was behind Hajme, but explained how “Analysis of the file timestamps shows that the author is most active between the hours of 15:00-23:00 UTC, with no activity from 00:00-05:00 UTC.” Noting that “This roughly fits the sleeping pattern of an individual in Europe.” Upon further investigation, researches concluded that work on Hajime most likely began sometime in 2013, but was not released into the wild until September of 2016 – following the source code release of the Marai BotNet a week beforehand.

As Hajime is a relatively simple worm that can be easily guarded against with updated software, security analysts say that the BotNet is far from a permanent solution to secure the IoT and all the devices on it. Regardless, it is still very clever and ingenious in its own right.