Hajime: A glimpse into the future of IoT Botnets

On October 16th 2016, Sam Edwards and Ioannis Profetis from Rapidity Networks published a report on a new malware they discovered and named “Hajime.”

Before Hajime was able to make headlines, the Mirai botnet was attributed to the attacks that took down Dyn last year and lead to a large array of Fortune 500 companies such as Amazon, Netflix, Twitter, CNN, and Spotify being unreachable most of that day. Hajime evaded the attention but kept growing steadily and breeding in silence.

Until a few weeks ago, Hajime was not a headline, but rather a subject many researchers were studying and analysing, trying to uncover the mystery behind its purpose and the intentions of its author.

No attacks have been attributed to Hajime and it doesn’t carry a payload to do so. But it is sophisticated, well designed and flexible enough to be repurposed in the blink of an eye. In my personal opinion, there are enough elements to believe there is a real and present danger in Hajime.

Hajime has been gaining considerable Internet of Things (IoT) market share for the last six months. Infection attempts by Hajime account for nearly 50% of the IoT bot activity in our honeypots. In a timespan of a little over five weeks, we counted almost 15,000 infection attempts from more than 12,000 unique IPs. We discovered that upon infecting, the Hajime bot sometimes leverages other infected nodes to download its malware, which increased our coverage and brought the current total number of unique infected IPs we could identify to almost 19,000.

In terms of infected countries, Vietnam is leading with Brazil, Iran, and Turkey following closely – but it being a global threat, most countries with well-established internet take a fair share of the infection pie.

There has been lots of speculation about the greyness of the author and the intent and purpose of Hajime. If we set aside the speculation and the motivation of the original author, but focus on the potential purpose of such large IoT botnets, consider for a moment that this botnet could be hijacked from its original owner.

A botnet this size with a flexible backend and high potential for criminal behaviour will certainly attract the attention of black hats. Whoever has the ‘keys’ of the botnet will decide its fate!

Because of its flexible and extensible nature, Hajime can easily be repurposed and leveraged to perform tasks such as the following:

  • Distributed Denial of Service (DDoS) attacks
  • Massively distributed vulnerability scanning – allowing hackers to detect vulnerable, public exposed services and exploit them within hours after the disclosure of a new vulnerability.
  • Massive surveillance network – the extension module could tap into streams from cameras.
  • IoT Bricker network – leveraging the work of BrickerBot, it would be possible for a hacker to target and put a specific region or city in the dark by bricking all the infected devices corresponding to that region or city based on geography.

For now, however, Hajime is still under control of its original author (or so I hope) and mostly we are considering his intentions to be good. Still, I wonder why this white knight keeps growing his botnet and keeps the devices hostage – searching and scanning aggressively for the next potential victim.

For now, I’d advise businesses to consider these DDoS Protection Essentials:

  • Hybrid DDoS Protection: On-premise and cloud, for real-time DDoS attack prevention that also addresses high volume attacks and protects from pipe saturation.
  • Behavioural-Based Detection: Quickly and accurately identify and block anomalies while allowing legitimate traffic through.
  • Real-Time Signature Creation: Promptly protect from unknown threats and 0-day attacks.
  • A cyber-security emergency response plan: Including a dedicated emergency team of experts who have experience with IoT security and handling IoT outbreaks.

I hope this article has given you a better view on what Hajime represents. If Hajime is a glimpse into what the future of IoT botnets looks like, I certainly hope the IoT industry gets its act together and starts seriously considering securing existing and new products. If not, our connected hopes and futures might depend on grey hat vigilantes to purge the threat the hard way.

By Pascal Geenens,security evangelist Radware EMEA.


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.