Q
Problem solve Get help with specific problems with your technologies, process and projects.

Hajime malware: How does it differ from the Mirai worm?

Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime differs from Mirai.

Rapidity Networks researchers discovered a new internet of things worm they called Hajime, which they captured...

in honeypots set up to study the Mirai malware. Hajime malware has some similarities to Mirai, such as the ability to scan the internet for devices running the Telnet service. How does the Hajime malware spread, and how is it different than the Mirai botnet?

Most types of malware have similarities, but implementation details may differ widely. If different types of malware have similar targets, then it is likely there will be more similarities in the malware.

Internet of things (IoT) devices may be very diverse in functionality, but the IT aspects are very similar because people want to be able to control or access the devices from their smartphones and computers, and for many reasons. These IT aspects are a huge component of the security challenge, as using insecure shared libraries and software development environments can result in many of the same security vulnerabilities, such as default accounts with weak passwords.

The Rapidity Networks Security Research Group speculated the Hajime malware would be used like the Mirai botnet in distributed denial-of-service attacks, but only the first two stages of the attack were observed.

Hajime identifies systems to infect by scanning the internet for systems running Telnet on Port 23 TCP, and then tries to log in with default accounts and passwords. Once logged in, the worm inspects the local system to determine what malware to upload in order to take control of the device. Once Hajime malware takes control of the system, it uses a peer-to-peer connection for the command-and-control infrastructure.

Hajime malware and the Mirai worm have very similar attack patterns, but the Hajime scanning logic appears to be taken from qBot.

Rapidity Network researchers reported Hajime started scanning a couple of days before Mirai, uses a different login sequence and uses more advanced methods to determine what malware to run on the target system. Enterprises should be aware that there are two distinct threats, and should plan accordingly to defend against and mitigate them.

Next Steps

Find out three steps to harden IoT devices in your enterprise

Discover how to prevent your IoT devices from being infected by malware

Learn about the vulnerabilities in St. Jude Medical's IoT medical devices

This was last published in March 2017

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How has your enterprise been affected by IoT malware like Hajime and Mirai?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close