Hajime Botnet is Now 300,000-Strong

The mysterious Hajime IoT botnet has now enlisted 300,000 devices and counting, according to new Kaspersky Lab data.


The Mirai-like malware has attacked devices mainly from IP addresses in Vietnam (20%), Taiwan (13%), Brazil (9%) and Turkey (7%), a new analysis claimed.

However, victim devices are primarily located in Iran (20%), Brazil (9%), Vietnam (8%) and Russia (8%).

As reported previously, Hajime spreads like Mirai via unsecured devices that have open Telnet ports and use default passwords, and uses the same log-in combinations as Mirai plus two more.

However, it’s more resilient – based on a P2P architecture – and is modular, meaning new capabilities could be added over time. It also has no DDoS functionality at the moment, and is only focused on propagation.

Kaspersky Lab analysis found that Hajime’s attack module supports three different attack methods; the newest being TR-064 exploitation.

The TR-064 standard allows ISPs to manage modems remotely via port 7547 or 5555. Hajime exploits a bug to execute arbitrary commands on vulnerable devices and conscript them into the botnet, Kaspersky Lab explained.

However, the researchers are still bemused as to the end goal of the campaign.

Some have speculated that it could be a white hat trying to lock down endpoints before the likes of Mirai get hold of them.

That’s because it blocks access to several ports which host services that can be exploited by malware including Mirai.

Plus, infected devices display a cryptographically signed message from the author: “Just a white hat, securing some systems.”

“The most intriguing thing about Hajime is its purpose. While the botnet is getting bigger and bigger, its objective remains unknown. We have not seen its traces in any type of attack or additional malicious activity,” said Konstantin Zykov, senior security researcher, Kaspersky Lab.

“Nevertheless, we advise owners of IoT devices to change the password of their devices to one that’s difficult to brute force, and to update their firmware if possible.”