Researchers at RapidityNetworks discovered a new malicious worm using Telnet that infects IoT devices using their insecure default credentials and uses a peer-to-peer network to install itself on vulnerable devices. it is rapidly spreading and at this time has likely topped 200,000 infections. The worm was dubbed Hajime and is similar to the Mirai malware but it is unclear if Hajime is based on Mirai source code.
The Mirai malware has infected tens of thousands of devices like DVRs and IP Cameras and is being used for large scale DDoS attacks like the one last Friday. Hajime started spreading before the Mirai source code appeared online.
In Japanese, Hajime means "the start" and Mirai is "the Future" - coincidence?
Now, worms that target IoT devices are not new, however they are literally rearing their ugly heads much more lately because of the terrible security practices that IoT vendors have. What makes Hajime unique is that it does not rely on centralized malware distribution server(s), but instead communicates over a distributed/decentralized overlay network to receive configuration and software updates.
The worm essentially targets any device running a Telnet server, specifically ARMv5-, ARMv7-, Intel x86-64-, and MIPS platforms. Hajime tries to log in using a list of known, hardwired credentials. If the login is successful a dropper get installed which in turn pulls down much larger malicous download code.
This download code connects with a P2P network; it uses the BitTorrent uTP protocol to copy the configuration and scan program. The scanner then connects with the internet and looks for new vulnerable systems.
What Does This Worm Plan To Do?
The little monster's goal is not yet clear. The researchers who found it observed that at the moment it is only just spreading and is not active yet. The ultimate payload has not been spotted but we can guess: more DDoS attacks.
What Can You Do About It?
If I were you I would scan your whole network for existing Telnet services and also obviously update any default passwords if you can. If you can't, replace the device with one that allows you to update the password. Also, block TCP port 4636 because that is the port that's being used to grab the second download.
You can read the whole RapidityNetworks PDF here.
