Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

IoT Worm “Hajime” Uses BitTorrent Protocols for Communications

While analyzing the notorious Mirai malware, researchers discovered what they claim to be a new and sophisticated worm designed to target Internet of Things (IoT) devices.

While analyzing the notorious Mirai malware, researchers discovered what they claim to be a new and sophisticated worm designed to target Internet of Things (IoT) devices.

The security research group at Boulder, CO-based Internet services company Rapidity Networks set up some honeypots in hopes of capturing a Mirai sample. However, their traps have caught what they believe to be a new IoT worm that behaves similarly to Mirai.

Since “Mirai” is the Japanese word for “future,” the company has decided to name the new piece of malware “Hajime,” which in Japanese can mean “beginning.”

The first sample was discovered by Rapidity Networks in the wild on October 5, but the timestamp of a configuration file suggests that the threat has been around since at least September 26. In addition, one of the libraries used by the malware is dated before 2013, which experts believe could indicate that Hajime has been in development for several years.

Similar to Mirai, Hajime scans the Internet in search of devices running the Telnet service and attempts to access them using a predefined list of common username and password combinations.

Unlike Mirai, which relies on command and control (C&C) servers, Hajime uses a decentralized, peer-to-peer (P2P) network to receive updates and configuration files. According to Rapidity, the worm uses BitTorrent’s DHT (Distributed Hash Tables) protocol for peer discovery and the uTorrent Transport Protocol (uTP) for data exchanges.

“For information exchange, Hajime piggybacks on BitTorrent’s DHT overlay network,” researchers explained. “To transfer files with its peers, Hajime ​uses the uTP implementation found in​ libutp. Hajime​ downloads files in a custom format which often contain payloads compressed with the LZ4 algorithm, and thus includes the decompression function from the LZ4 project.”

Rapidity Networks has only spotted one Hajime module in the wild, which the worm uses to spread from one device to another. The purpose of the botnet remains unclear, but experts believe it can be used for DDoS attacks, as a distribution platform for other payloads, or to steal sensitive data from other machines housed by the same network as the Hajime-infected device.

There is also the possibility that Hajime is part of a research project, similar to the “vigilante malware” named Wifatch.

Based on the number of Hajime attack attempts recorded by its honeypots, Rapidity believes the malware may have infected somewhere between 130,000 and 185,000 IoT devices.

While there are some similarities between Hajime and Mirai, there is no evidence that the two are connected. Researchers speculated that the new worm might be trying to pass off as Mirai in hopes of not drawing too much attention to itself.

It’s unclear who developed Hajime, but based on its analysis, Rapidity has concluded that the author is an individual or group familiar with the C programming language, ARM/MIPS assembly language, cryptography, network protocols and the limitations of low-memory systems.

Internal naming conventions suggest an English speaker, while timestamps show that the developers were most active in timeframes that would point to someone located in Europe.

Related: Mirai Increasingly Used for DDoS Attacks After Source Code Leak

Related: MITRE Offers $50,000 for Rogue IoT Device Detection

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.