The Hajime botnet is nearly 300,000 strong, making it a latent threat nearly as powerful as the notorious Mirai botnet that devastated high-profile websites last fall, leading some to think the internet had been broken.
Researchers at Kaspersky Lab lured devices infected with the Hajime worm to announce themselves to a Kaspersky honeypot, checked out whether they were actually infected and added them up. They came up with the number 297,499, says Igor Soumenkov, principal researcher at Kaspersky Lab.
An earlier estimate by Symantec put the size at tens of thousands. Estimates of the number of infected devices in Mirai botnets have put it about 400,000, but the number of devices that might be infected with the Hajime worm is 1.5 million, says Dale Drew, the CSO of Level 3, which has been building a profile of behavioral classifiers to identify it so it can be blocked.
In some ways Hajime is more impressive than Mirai and may be harder to stop if its creators ever decide to put it to malicious use, says Drew. It uses BitTorrent 2.0 to communicate, he says, making Hajime a peer-to-peer botnet. “Everything is a node and everything is command and control,” Drew says. “It’s very, very difficult to cut the head off.”
Because of this, whoever is in charge of it would upload a file containing an attack module to one device, and it would spread the file among the rest, Soumenkov says. There aren’t just a few command and control servers to knock out and take the botnet down.
Hajime firewalls devices that it infects, preventing other attackers from commandeering them. Each compromised device continually seeks other devices to reinfect. That’s because when some of the devices, such as DVRs, reboot, that cleans out the infection. So in order to maintain the size of the botnet, its active participants keep reinfecting the cleaned machines.
The botnet is being actively tended, says Soumenkov, including a recent update that gave it an additional option for infecting IoT devices, so now it has three options: via Telnet default passwords, a password attack directed at Arris devices, and exploiting the TR-069 standard that enables remote modem management.
Mirai and Hajime both went after the same set of devices: routers, DVRs and cameras attached to the internet and that have little or no security.
Soumenkov describes the author or authors as “pretty sophisticated” and credits them with writing tight, well architected code that Kaspersky researchers found challenging to analyze. “It was not easy to figure out how it works,” he says.
Because of the consistency with which the code is written, the author might be an individual. “It could be the work of some lonely developer having ample time,” he says.
Hajime is on the radar of Level 3, which is trying to understand the size and scope of the botnet. It says via a spokesperson that the botnet uses the latest version of BitTorrent to communicate, “In other words, it’s designed to make the botnet more difficult to stop.”
Level 3 thinks it has a methodology for impairing peer-to-peer botnets in general via its Adaptive Threat Intelligence capabilities, the spokesperson says.
The Hajime author has left no clues, or at least none that Kaspersky picked up on, about what the purpose of Hajime is. But Soumenkov says he’s never seen a botnet deployed and left idle, so at some point that purpose will show itself.
The possibilities are to run a DDoS attack similar to the devastating ones launched last year by Mirai. Since many of the devices are routers, they could be instructed to divert traffic to malicious sites or to phony banking sites for stealing credentials.
Drew says he’s seen white-hat actors create protective botnet worms that patch devices but then erase themselves. Hajime stays resident on infected machines, ready to do more, he says.
And that’s the worry, says Soumenkov. “It must be up to something,” he says. “I still think it’s an unfinished story.”