Hajime (malware)

Last updated
Hajime [1]
Written in C [2]
Operating system Linux [3]
Type Botnet [4]

Hajime (Japanese for "beginning") is a malware which appears to be similar to the Wifatch malware in that it appears to attempt to secure devices. [5] Hajime is also far more advanced than Mirai, according to various researchers. [6]

Contents

The top countries infected by the malware were Iran, Brazil, Vietnam, Russia and Turkey, followed by India, Pakistan, Italy and Taiwan. [7]

Malware

Hajime is a worm according to sources which have placed research on the subject. [8] It appears to have been discovered as early as October 2016. [9]

Later in April 2017, Hajime generated large media coverage as it appeared to be in competition with Mirai. [10] This led to a number of reports which compared and noted that it appeared to have a similar purpose to Linux.Wifatch. [11] It also did not contain any modules or tools for denial of service attacks, but instead only contained methods for extending its reach. [12]

Hand written assembly code specifically for several platforms was also discovered by researchers as well. [13]

Hajime is similar to Mirai in its method of how it manages to compromise systems. [14] One of the key differences with Mirai is that it uses a peer-to-peer network for communications. [15]

What was also noted was the message the malware left on systems it compromised. [16] The message left on systems compromised by Hajime displayed on terminals is shown below. [17]

Just a white hat, securing some systems.
Important messages will be signed like this!
Hajime Author.
Contact CLOSED Stay sharp!

[18]

See also

Related Research Articles

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.

<span class="mw-page-title-main">Seculert</span> Israeli cloud-based cyber security technology

Seculert was a cloud-based cyber security technology company based in Petah Tikva, Israel. The company's technology was designed to detect breaches and advanced persistent threats (APTs), attacking networks. Seculert's business was based on malware research and the ability to uncover malware that has gone undetected by other traditional measures.

Virut is a cybercrime malware botnet, operating at least since 2006, and one of the major botnets and malware distributors on the Internet. In January 2013, its operations were disrupted by the Polish organization Naukowa i Akademicka Sieć Komputerowa.

<span class="mw-page-title-main">Carna botnet</span> Botnet used to census the entire IPv4 internet

The Carna botnet was a botnet of 420,000 devices created by an anonymous hacker to measure the extent of the Internet in what the creator called the “Internet Census of 2012”.

XOR DDoS is a Linux Trojan malware with rootkit capabilities that was used to launch large-scale DDoS attacks. Its name stems from the heavy usage of XOR encryption in both malware and network communication to the C&Cs. It is built for multiple Linux architectures like ARM, x86 and x64. Noteworthy about XOR DDoS is the ability to hide itself with an embedded rootkit component which is obtained by multiple installation steps. It was discovered in September 2014 by MalwareMustDie, a white hat malware research group. From November 2014 it was involved in massive brute force campaign that lasted at least for three months.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

Dendroid is malware that affects Android OS and targets the mobile platform.

BASHLITE is malware which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.

Mirai is malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' website, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.

Linux.Darlloz is a worm which infects Linux embedded systems.

Remaiten is malware which infects Linux on embedded systems by brute forcing using frequently used default username and passwords combinations from a list in order to infect a system.

<span class="mw-page-title-main">Linux.Wifatch</span> Malware that secures infected devices

Linux.Wifatch is an open-source piece of malware which has been noted for not having been used for malicious actions, instead attempting to secure devices from other malware.

<span class="mw-page-title-main">MalwareMustDie</span> Whitehat security research workgroup

MalwareMustDie, NPO is a whitehat security research workgroup that was launched in August 2012. MalwareMustDie is a registered nonprofit organization as a medium for IT professionals and security researchers gathered to form a work flow to reduce malware infection in the internet. The group is known for their malware analysis blog. They have a list of Linux malware research and botnet analysis that they have completed. The team communicates information about malware in general and advocates for better detection for Linux malware.

Hack Forums is an Internet forum dedicated to discussions related to hacker culture and computer security. The website ranks as the number one website in the "Hacking" category in terms of web-traffic by the analysis company Alexa Internet. The website has been widely reported as facilitating online criminal activity, such as the case of Zachary Shames, who was arrested for selling keylogging software on Hack Forums in 2013 which was used to steal personal information.

References

  1. Arghire, Ionut (April 26, 2017). "Mysterious Hajime Botnet Grows to 300,000 IoT Devices: Kaspersky". securityweek.com. Retrieved 14 October 2017.
  2. Cimpanu, Catalin (October 18, 2016). "Hajime IoT Worm Considerably More Sophisticated than Mirai". Softpedia . Retrieved 13 October 2017.
  3. Kan, Michael (April 17, 2017). "IoT malware clashes in a botnet territory battle". PC World . Retrieved 13 October 2017.
  4. Leyden, John (27 April 2017). "Mysterious Hajime botnet has pwned 300,000 IoT devices". The Register . Retrieved 14 October 2017.
  5. Grange, Waylon (18 April 2017). "Hajime worm battles Mirai for control of the Internet of Things". Symantec . Retrieved 13 October 2017.
  6. Paganini, Pierluigi (April 20, 2017). "Symantec is monitoring the Hajime IoT malware, is it the work of vigilante hacker?". securityaffairs.co. Retrieved 13 October 2017.
  7. "300,000 obeying devices: Hajime is conquering the Internet of Things world". kaspersky.com. 26 May 2021.
  8. Vatu, Gabriela (April 21, 2017). "IoT Malware Hajime Fights Against Mirai, Tries to Secure Devices". Softpedia . Retrieved 13 October 2017.
  9. Vatu, Gabriela (April 27, 2017). "Vigilante IoT Worm Hajime Infects 300,000 Devices". Softpedia . Retrieved 13 October 2017.
  10. Spring, Tom (April 21, 2017). "Mirai and Hajime Locked Into IoT Botnet Battle". threatpost. Retrieved 13 October 2017.
  11. Cimpanu, Catalin (April 19, 2017). "Vigilante Hacker Uses Hajime Malware to Wrestle with Mirai Botnets". Bleeping Computer . Retrieved 13 October 2017.
  12. Millman, Rene (April 28, 2017). "Hajime malware now has 300,000 strong botnet at disposal say researchers". scmagazineuk.com. Retrieved 13 October 2017.
  13. Edwards, Sam; Profetis, Ioannis (16 October 2016). "Hajime: Analysis of a decentralized intern et worm for IoT devices" (PDF). rapiditynetworks.com. Archived from the original (PDF) on 30 December 2016. Retrieved 14 October 2017.
  14. Arghire, Ionut (April 20, 2017). "White Hat Hacker Created Mysterious IoT Worm, Symantec Says". securityweek.com. Retrieved 14 October 2017.
  15. Khandelwal, Swati (April 26, 2017). "Hajime 'Vigilante Botnet' Growing Rapidly; Hijacks 300,000 IoT Devices Worldwide". thehackernews.com. Retrieved 14 October 2017.
  16. "Hajime Botnet – Friend or Foe?". radware.com. 26 April 2017. Retrieved 14 October 2017.
  17. Khandelwal, Swati (April 19, 2017). "To Protect Your Devices, A Hacker Wants to Hack You Before Someone Else Does". thehackernews.com. Retrieved 14 October 2017.
  18. Paganini, Pierluigi (April 27, 2017). "The Hajime Botnet continues to grow and implements a new attack technique". securityaffairs.co. Retrieved 14 October 2017.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.