Vigilante botnet fights back against the botnet that almost broke the Internet

[crazed 9.6]

White-hat or Black-hat ?
It is debated

Let's call it Grey-hat

Vigilante botnet infects IoT devices before blackhats can hijack them.

Mirai, the botnet that threatened the Internet as we knew it last year with record-setting denial-of-service attacks, is facing an existential threat of its own: A competing botnet known as Hajime has infected at least 10,000 home routers, network-connected cameras, and other so-called Internet of Things devices.

Why the silencing of KrebsOnSecurity opens a troubling chapter for the ‘Net'
Hajime uses a decentralized peer-to-peer network to issue commands and updates to infected devices. This design makes it more resistant to takedowns by ISPs and Internet backbone providers. Hajime uses the same list of user name and password combinations Mirai uses, with the addition of two more. It also takes steps to conceal its running processes and files, a feature that makes detecting infected systems more difficult. Most interesting of all: Hajime appears to be the brainchild of a grayhat hacker, as evidenced by a cryptographically signed message it displays every 10 minutes or so on terminals.

The message reads:

Code:

Just a white hat, securing some systems.
    Important messages will be signed like this!
    Hajime Author.
    Contact CLOSED
    Stay sharp!

Another sign Hajime is a vigilante-style project intended to disrupt Mirai and similar IoT botnets: It blocks access to four ports known to be vectors used to attack many IoT device. Hajime also lacks distributed denial-of-service capabilities or any other attacking code except for the propagation code that allows one infected device to seek out and infect other vulnerable devices.

Rash of in-the-wild attacks permanently destroys poorly secured IoT devices
Hajime isn't the first botnet to shows signs its mission is to take out poorly secured Internet devices. Two weeks ago, researchers uncovered IoT malware they dubbed BrickerBot. BrickerBot gets its name because it attempts to damage routers and other Internet-connected appliances so badly that they become effectively inoperable, or "bricked." In 2015, researchers from security provider Symantec exposed Wifatch, a piece of Linux malware that works much the way Hajime does.

There's a temptation to applaud Hajime and its companions because they take aim at one of the great Internet scourges. In a blog post published Tuesday, Symantec engineer Waylon Grange makes a compelling case why that assessment would be misguided. He wrote:
The problem with these white worms is that they usually turn out to have a short lifespan. That is because their effects are only temporary. On the typical IoT system affected by these worms, the changes made to improve the security are only in RAM and not persistent.

Once the device is rebooted it goes back to its unsecured state, complete with default passwords and a Telnet open to the world. To have a lasting effect, the firmware would need to be updated. It is extremely difficult to update the firmware on a large scale because the process is unique to each device and in some cases is not possible without physical access. And so, we are left with embedded devices stuck in a sort of Groundhog Day time loop scenario. One day a device may belong to the Mirai botnet, after the next reboot it could belong to Hajime, then the next, any of the many other IoT malware/worms that are out there scanning for devices with hardcoded passwords. This cycle will continue with each reboot until the device is updated with a newer, more secure firmware.

Aside from the long-term inefficacy of Hajime, the fact remains that what its designer is doing—surreptitiously installing a backdoor without permission on tens of thousands of devices—is both unethical and illegal in most jurisdictions around the world. For this reason, I'm characterizing it as a grayhat project rather than a whitehat one, as Grange and the Hajime developer do. Illegal as they are, Hajime and BrickerBot are understandable and possibly inevitable reactions to the proliferation of poorly secured IoT devices, a vexing problem that seems to only be getting worse.

Code:

https://arstechnica.com/security/2017/04/vigilante-botnet-infects-iot-devices-before-blackhats-can-hijack-them/

Dan Goodin - 4/18/2017



Hajime ‘Vigilante Botnet’ Growing Rapidly

Wednesday, April 26, 2017
Swati Khandelwal
thehackernews.com

Vigilante hacker has already trapped roughly 300,000 devices in an IoT botnet known as Hajime, according to a new report published Tuesday by Kaspersky Lab, and this number will rise with each day that passes by.
The IoT botnet malware was emerged in October 2016, around the same time when the infamous Mirai botnet threatened the Internet last year with record-setting distributed denial-of-service (DDoS) attacks against the popular DNS provider Dyn.

How the Hajime IoT Botnet Works

Hajime botnet works much like Mirai by spreading itself via unsecured IoT devices that have open Telnet ports and uses default passwords and also uses the same list of username and password combinations that Mirai is programmed to use.
However, the interesting part of Hajime botnet is that, unlike Mirai, once Hajime infects an IoT devices, it secures the devices by blocking access to four ports (23, 7547, 5555, and 5358) known to be the most widely used vectors for infecting IoT devices, making Mirai or other threats out of their bay.
Hajime also uses a decentralized peer-to-peer network (instead of command-and-control server) to issue updates to infected devices, making it more difficult for ISPs and Internet providers to take down the botnet.

One of the most interesting things about Hajime is the botnet also displays a cryptographically signed message every 10 minutes or so on infected device terminals, describing its creators as "just a white hat, securing some systems."
Unlike Mirai and other IoT botnets, Hajime lacks DDoS capabilities and other hacking skills except for the propagation code that lets one infected IoT device search for other vulnerable devices and infects them.

What's not known is: What the Hajime Botnet is for? or Who is behind it?
"The most intriguing thing about Hajime is its purpose," says Kaspersky security researchers. "While the botnet is getting bigger and bigger, partly due to new exploitation modules, its purpose remains unknown. We haven’t seen it being used in any type of attack or malicious activity, adding that "its real purpose remains unknown."
Also, the researchers believe that this might not happen, because Hajime botnet takes steps to hide its running processes and files on the file system, making the detection of infected systems more difficult.
So far, the purpose behind building this botnet is not entirely clear, but all signs yet point to a possible white-hat hacker, who is on his/her mission to secure open and vulnerable systems over the Internet.

However, the most concerning issue of all — Is there any guarantee that the Hajime author will not add attack capabilities to the worm to use the hijacked devices for malicious purposes?
Maybe today the Hajime author is in the mission to secure the world, but tomorrow, when he would realize he could make money online by renting his/her botnet to others, he could be another Adam Mudd.
Mudd, a 19-year-old teenager, has recently been sentenced to 2 years in prison for creating and running a DDoS-for-hire service called 'Titanium Stresser' that made more than 1.7 million victims of DDoS attacks since 2013.

Secondly, What if the well-intentioned botnet is hijacked by some malicious actor?
If this happens, the vigilant IoT botnet could be used for malicious purposes, such as conducting DDoS attacks against online sites and services, spreading malware, or instantly bricking the infected devices at one click.
Radware researchers also believe that the flexible and extensible nature of the Hajime botnet can be used for malicious purposes, like those mentioned above and conducting real-time mass surveillance from Internet-connected webcams, according to a new threat advisory published Wednesday by Radware.

Last but not the least: Do we seriously need some vigilante hackers to protect our devices and network?
This solution could be temporary, trust me. For example, the latest Hajime botnet is nothing but a band-aid.
Since Hajime has no persistence mechanism, as soon as the infected device is rebooted, it goes back to its previously unsecured state, with default passwords and the Telnet port open to the world.

How to Protect your IoT devices?

The only true solution is You.
So go and update the firmware of your devices, change their default passwords, put them behind a firewall, and if any device is by default vulnerable and cannot be updated, throw it and buy a new one.
Just keep in mind: Once a single IoT of yours gets compromised, your whole network falls under risk of getting compromised and so all your devices which are connected to that network.

Swati Khandelwal
Technical Writer, Security Blogger and IT Analyst.