IoT Worm “Hajime” Uses BitTorrent Protocols for Communications

While analyzing the notorious Mirai malware, researchers discovered what they claim to be a new and sophisticated worm designed to target Internet of Things (IoT) devices.

The security research group at Boulder, CO-based Internet services company Rapidity Networks set up some honeypots in hopes of capturing a Mirai sample. However, their traps have caught what they believe to be a new IoT worm that behaves similarly to Mirai.

Since “Mirai” is the Japanese word for “future,” the company has decided to name the new piece of malware “Hajime,” which in Japanese can mean “beginning.”

The first sample was discovered by Rapidity Networks in the wild on October 5, but the timestamp of a configuration file suggests that the threat has been around since at least September 26. In addition, one of the libraries used by the malware is dated before 2013, which experts believe could indicate that Hajime has been in development for several years.

Similar to Mirai, Hajime scans the Internet in search of devices running the Telnet service and attempts to access them using a predefined list of common username and password combinations.

Unlike Mirai, which relies on command and control (C&C) servers, Hajime uses a decentralized, peer-to-peer (P2P) network to receive updates and configuration files. According to Rapidity, the worm uses BitTorrent’s DHT (Distributed Hash Tables) protocol for peer discovery and the uTorrent Transport Protocol (uTP) for data exchanges.

“For information exchange, Hajime piggybacks on BitTorrent’s DHT overlay network,” researchers explained. “To transfer files with its peers, Hajime ​uses the uTP implementation found in​ libutp. Hajime​ downloads files in a custom format which often contain payloads compressed with the LZ4 algorithm, and thus includes the decompression function from the LZ4 project.”

Rapidity Networks has only spotted one Hajime module in the wild, which the worm uses to spread from one device to another. The purpose of the botnet remains unclear, but experts believe it can be used for DDoS attacks, as a distribution platform for other payloads, or to steal sensitive data from other machines housed by the same network as the Hajime-infected device.

There is also the possibility that Hajime is part of a research project, similar to the “vigilante malware” named Wifatch.

Based on the number of Hajime attack attempts recorded by its honeypots, Rapidity believes the malware may have infected somewhere between 130,000 and 185,000 IoT devices.

While there are some similarities between Hajime and Mirai, there is no evidence that the two are connected. Researchers speculated that the new worm might be trying to pass off as Mirai in hopes of not drawing too much attention to itself.

It’s unclear who developed Hajime, but based on its analysis, Rapidity has concluded that the author is an individual or group familiar with the C programming language, ARM/MIPS assembly language, cryptography, network protocols and the limitations of low-memory systems.

Internal naming conventions suggest an English speaker, while timestamps show that the developers were most active in timeframes that would point to someone located in Europe.

Related: Mirai Increasingly Used for DDoS Attacks After Source Code Leak

Related: MITRE Offers $50,000 for Rogue IoT Device Detection