Hajime Versus Mirai

Posted by & filed under List Posts.

A malware strain called Mirai is created that amasses a botnet through exploitation of unsecured Internet of Things devices. As the number of zombie devices continues to build, the people behind the malware start to use it in distributed denial of service (DDoS) attacks. Eventually, Mirai really puts itself on the map by launching an attack on security researcher Brian Krebs that measures an incredible 665 Gigabits of traffic per second. Mirai’s author open-sources its code in a hacker forum. Krebs identifies (well, suspects, with extensive evidence) Rutgers University student and DDoS protection firm owner Paras Jha as the malware’s creator.


Fast-forward to today: That piece by Krebs (linked above) made a lot of headlines, and Jha was questioned by the FBI; but Mirai didn’t go away. If anything, what appeared to some like an epic battle between good and evil between Krebs and Mirai was actually a small skirmish in a lengthy and developing war. Krebs wanted to unmask a person whom he believed to be responsible for the spread of the botnet, but its code had already been made publicly available. What could be done about Mirai itself? Who could step up to save the rest of the Web from the unprotected segment of the Internet of Things? Someone must have thought that the best bet was to force-secure vulnerable devices and decided that they would be the person to make it happen.


Is Hajime Mirai’s Archnemesis?


One would imagine that there would be competition among black hat hackers to create the most dominant IoT malware so that they could have as many devices as possible to use as a more effective digital weapon. However, you might not have previously considered that someone might go up against the malware with a completely opposite agenda – sharing the desire to inject code for their own different purposes. Nonetheless, that is exactly what has happened – with a general consensus in the security industry that a white hat hacker is responsible for the Hajime IoT botnet.


In fact, after Dan Goodin of Ars Technica noted that it took a great amount of computing knowledge to design and deploy the white hat network, he concluded that it “just may be the Internet’s most advanced IoT botnet.”


Hajime is designed to parallel Mirai in certain ways, so it uses the same username and password combination list. The malware infects the IoT device and then blocks four ports that are most widely used for infection. Additionally, it presents a message on the terminal of the infected device, with an encrypted signature, that says the author is “just a white hat, securing some systems.”


Since the goals of Mirai and Hajime are directly opposed (to enslave and to protect the devices), Tom Spring of Kaspersky Labs’ Threatpost believes that the Hajime vigilante white hat and Mirai black hats will be locked in an ongoing head-to-head rivalry for control of routers, DVRs, CCTV cameras, thermostats, etc.


It’s unclear at this point whom the author of Hajime is. It was first detected by Boulder-based Internet service provider Rapidity Networks in October 2016. Since then, it has grown at breakneck pace, infecting any IoT devices that are using default passwords and have open Telnet ports (i.e., the targets of Mirai).


Hajime and Mirai are essentially using the same means – mass self-propagation and infection of the IoT – to achieve very different objectives. Although Mirai is made up of a huge number of devices (estimated at 493,000 in October 2016), it functions as a unified tool that allows cybercriminals to hammer targets.On the other hand, Hajime does not appear to have a purposeful dark side (although intention isn’t everything – see below). Instead, it seems that the only reason it was created is to self-propagate and to seal off any unsecured Telnet ports so that they aren’t taken hostage by Mirai and used to do the bidding of malicious actors, at the expense of whatever victims they choose.


Symantec analysts have placed the number of Hajime-infected home routers, webcams, and other devices at 10,000. However, Rapidity Networks had previously estimated that it had spread much more wildly, spreading to 130,000-185,000 devices.


Hajime: The Full-Featured IoT Botnet


While Mirai has a stripped-down functionality, Hajime has a much more sophisticated feature set. One of the best examples is the manner in which Hajime tries username-password pairs. Mirai just tries a bunch of common possibilities; instead, Hajime parses the information on the login screen to determine what manufacturer is behind it and uses that manufacturer’s default logins. For example, Hajime attempts to attack a MikroTik router with the username “admin” and no password. The Mikrotik documentation shows that combination to be the factory-default. By minimizing incorrect password submissions, Hajime is less likely to get blacklisted or blocked from the device.


Plus, another major differentiator between Hajime and its blackhat botnet foes is that it is maintained in a slicker manner. It encrypts communications between nodes and utilizes a peer-to-peer network, via BitTorrent, to send updates and commands. That use of encryption and distribution give it a better defensive posture to Internet backbone companies or ISPs wanting to root it out. When Rapidity Networks found a flaw in a previous version of Hajime, the author updated it to correct the problem.


What Else Does Hajime Do?


Beyond being able to change the brute force telnet credentials it uses based on its identification of the device, here are some other Hajime capabilities:


  • It can infect ARRIS modems using a known remote backdoor, password-of-the-day.
  • While it is infecting, it is able to determine the platform and can sidestep the absence of download commands (wget, etc.) via the loader stub (.s).
  • Hex encoded strings are used to dynamically produce the loader stub through assembly programs that are custom-designed to fit the platform. The port number and IP address of the loader are patched in the code once the loader stub is created.
  • Hajime can determine if an infecting node is currently accessible; if it isn’t, the malware will switch to another device to download the initial code.


Temporary Hardening of IoT Devices


Hajime does not permanently protect the devices it infiltrates. Just like Mirai, when the device is rebooted, Hajime is gone, and the ports are again vulnerable to Mirai infection. Since both types of infection are short-lived, experts think that Mirai and Hajime will be competing against one another for control indefinitely.


There has been vigilante, white-hat malware in the past. The most obvious example in this case is Wifatch, which invaded IoT devices, changed default passwords, shut off ports, and posted warning messages.


The issue with any type of malware, even one that has good intentions, is that there can be collateral damage to the device. If the exploit is performed incorrectly or if a port is blocked that is in use, the true owner won’t be able to use it. The malware could infect key infrastructure and push it offline. In other words, we should be careful about thinking Hajime won’t come with a downside.




Leaving Web safety up to a duel between Mirai and Hajime doesn’t work when it comes to your business. Are you concerned about whether your company can defend itself against DDoS attacks? At Total Server Solutions, our mitigation & protection solutions help you stay ahead of attackers. See our DDoS Mitigation Solutions.