Internet of Things malware Hajime is creating a botnet from 300,000 devices

hajime iot botnet internet of things 1200x0

For many people, there is a growing concern over smart devices becoming connected. While smart devices make day-to-day life more convenient, there is an underlying risk of malware attacking and making use of these devices. One such example is Hajime, an Internet of Things (IoT) malware that is creating a peer-to-peer botnet. Already it has compromised almost 300,000 devices.

Kaspersky Lab recently published its research into Hajime and its unknown end goal. So far, this malware has focused its attention on DVRs, webcams, and routers, but it is capable of attacking any device on the internet. Using a brute-force attack on device passwords, Hajime infects the device, and then conceals itself from the victim. Compromised devices can then be used by Hajime’s creator without the victim’s knowledge.

While a majority of these compromised devices are located in Iran, Vietnam, and Brazil, Kaspersky Lab suggests that IoT owners change their passwords to something more difficult to guess through brute force. Additionally, owners should update their firmware if needed.

First signs of Hajime appeared in October 2016 and it has since developed new ways of spreading. Instead of containing attack code, this malware only contains a propagation module. As it takes over a device, it adds it to an existing peer-to-peer botnet. This network of compromised devices is then used for spam or DDoS attacks.

There are a few networks that Hajime has avoided. These include General Electric, Hewlett-Packard, the U.S. Postal Service, the United States Department of Defense, and a few private networks.

“The most intriguing thing about Hajime is its purpose,” said Konstantin Zykov, senior security researcher at Kaspersky Lab. “While the botnet is getting bigger and bigger, its objective remains unknown. We have not seen its traces in any type of attack or additional malicious activity.”

Full details about this research are available on the firm’s SecureList blog.