Security researchers report that an internet of things worm similar to Mirai is using its power to take over connected...
devices for good instead of evil.
The so-called Hajime worm was first discovered in October 2016 by Rapidity Networks, which quickly discovered similarities to the Mirai malware. Like Mirai, the Hajime worm spreads through unsecured IoT devices that have open Telnet ports and use default passwords, and it logs into the devices the same way Mirai does.
"After each pair of credentials, Hajime waits for a response from the target device," explains the Rapidity Networks report. "If the credentials are rejected, Hajime closes the current connection, reconnects, and tries the next pair. While many of these credential pairs can be found in Mirai (i.e., their hardcoded credentials lists are similar), they differ in their login behavior: Hajime follows its credentials list sequentially, while Mirai makes login attempts in a weighted random order."
However, according to Waylon Grange, a senior threat researcher at Symantec, Hajime is "stealthier and more advanced" compared to Mirai, and has been spreading quickly over the last several months.
"Once on an infected device, it takes multiple steps to conceal its running processes and hide its files on the file system," Grange explains in a blog post. "The author can open a shell script to any infected machine in the network at any time, and the code is modular, so new capabilities can be added on the fly. It is apparent from the code that a fair amount of development time went into designing this worm."
Another notable difference between Mirai and Hajime, according to Grange, is that it doesn't have the ability to perform distributed denial-of-service attacks or have any attacking code capabilities. Instead, a message displays every 10 minutes saying "Just a white hat, securing some systems" and signed by the author.
While it's unconfirmed whether the author is truly a white hat, Grange thinks it's possible.
"To the author's credit, once the worm is installed it does improve the security of the device," he writes. "It blocks access to ports 23, 7547, 5555, and 5358, which are all ports hosting services known to be exploitable on many IoT devices. Mirai is known to target some of these ports."
Vigilante IoT malware
The Hajime worm is not the only way vigilante hackers are trying to improve IoT device security.
A recently discovered malware called BrickerBot actually bricks insecure IoT devices by corrupting the storage on a device in such a way that the devices are put in a permanent denial-of-service attack. Essentially, the only way to fix the infection is to replace the device or reinstall hardware, taking the device offline and thus removing it from any botnets it could be infected with.
Unfortunately, according to Granger, white hat tactics like those used in Hajime and BrickerBot don't last long.
"On the typical IoT system affected by these worms the changes made to improve the security are only in RAM and not persistent," he explains. "Once the device is rebooted it goes back to its unsecured state, complete with default passwords and a Telnet open to the world. To have a lasting effect, the firmware would need to be updated."
In other news
- The U.S. Central Intelligence Agency and the FBI are conducting a joint investigation into who leaked the Vault 7 documents to WikiLeaks. CBS News reported that the CIA and FBI are looking for an insider who had physical access to the documents, such as a CIA employee or contractor. CIA Director Mike Pompeo referred to WikiLeaks as "a non-state hostile intelligence service" in a public statement last week, and accused the group of colluding with the Russian government. The Vault 7 documents WikiLeaks published in March 2017 allegedly contained descriptions of hacking tools and zero-day exploits the CIA used to access smartphones, smart televisions and computer systems. The information in the Vault 7 documents may also be able to tie the CIA to a hacking group called Longhorn since 2011.
- A new type of phishing attack is undetectable to many popular web browsers. Chrome, Firefox and Opera are all vulnerable to a phishing attack that disguises fake domains as legitimate ones by using a flaw in the Punycode system. Security researcher Xudong Zheng discovered this attack, which is a variation of an older homograph attack identified in 2001 by researchers Evgeniy Gabrilovich and Alex Gontmakher. Punycode is a way for non-Unicode characters to be allowed in domain names, but hackers are taking advantage of this and disguising fake domains as real, popular domains such as apple.com. "Even in a corporation where employees are trained to watch for phishing attacks, this type of attack is unlikely to be noticed by the user," explained Justin Jett, director of audit and compliance at Plixer International. Some browsers like Internet Explorer, Edge and Vivaldi are able to detect the real identity of a site, but the popular browsers do not.
- Symantec has filed a second lawsuit against Zscaler with seven new patent infringement claims. The lawsuit alleges that Zscaler, a cloud security company that offers software-as-a-service and network security products, illegally used seven of Symantec's patents around network security. Symantec obtained these patents when it acquired Blue Coat Systems in 2016. "We are taking this additional action because we believe that Zscaler is continuing to infringe the intellectual property of Symantec and Blue Coat," said Scott Taylor, Symantec's executive vice president, general counsel and secretary. "Symantec has a responsibility to its shareholders and customers to protect the Company's investments in innovative technologies. Symantec will continue to vigorously defend its valuable portfolio of patents and other intellectual property assets." Symantec filed its first lawsuit in December 2016 and alleged that Zscaler violated Symantec's patents around web security, data loss prevention, threat prevention, access control and antivirus technology.
Find out why businesses need a more enlightened approach to phishing attacks
Read about another white hat router malware
Discover what cyberattacks will compromise your data in 2017